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ELECTRONIC COMMUNICATIONS 
PRIVACY ACT REFORM 


WEDNESDAY, MAY 5, 2010 

House of Representatives, 

Subcommittee on the Constitution, 

Civil Rights, and Civil Liberties, 

Committee on the Judiciary, 

Washington, DC. 

The Subcommittee met, pursuant to notice, at 2:53 p.m., in room 
2141, Rayburn House Office Building, the Honorable Jerrold Nad- 
ler (Chairman of the Subcommittee) presiding. 

Present: Representatives Nadler, Watt, Scott, Johnson, Cohen, 
Chu, and Sensenbrenner. 

Staff present: (Majority) David Lachman, Subcommittee Chief of 
Staff; Stephanie Pell, Counsel; (Minority) Caroline Lynch, Counsel; 
and Art Baker, Counsel. 

Mr. Nadler. This hearing of the Subcommittee on the Constitu- 
tion, Civil Rights, and Civil Liberties will come to order. We apolo- 
gize for coming to order late, but the votes on the floor necessitated 
that. We will begin by recognizing myself for a 5-minute opening 
statement. 

Today’s hearing is the beginning of a process through which the 
Subcommittee will revisit the statutory framework Congress estab- 
lished in the 1986 Electronic Communication Privacy Act, ECPA, 
in spite of the enormous technological advances which have taken 
place in electronic communications over the last 24 years. 

Because of the complexity of the subject, both legal and techno- 
logical, this hearing will probably be the first of several we will 
hold as we consider what, if any, reforms should be made to the 
Act so that it might function more effectively in the future. 

ECPA was passed in 1986, well before we commonly used the 
Internet for e-mail, much less for cloud computing and remote stor- 
age, at a time when cell phones were rare, often the size of small 
kitchen appliances, and included no tracking technologies capable 
of mapping our every movement. Communications technology now 
evolves at an exponential pace. 

So in 1986 ECPA fixed the statutory standards law enforcement 
would have to meet to access private communications data in a 
technological environment as far removed from our own as that of 
1986 was from the day Alexander Graham Bell said, “Mr. Watson, 
come here. I need you.” in the first telephone call 110 years earlier. 

The lightning pace of innovation in communications technology 
brings with it enormous improvements in the quality of life for our 

( 1 ) 
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citizens that in many ways marked the age we live in as a new 
epoch, which might he called the Internet Age. But it must he said, 
particularly by the Committee on the Judiciary, that these events 
also provide criminals with new platforms for unlawful activity. 

Moreover, it must also be said here on the Subcommittee on the 
Constitution that these robust new communications technologies 
bring with them new opportunities for law enforcement agencies, 
charged to protect us from such criminals, to intervene in our pri- 
vate lives. Thus, we must consider whether ECPA still strikes the 
right balance between the interests and needs of law enforcement 
and privacy interests of the American people. 

This is only the beginning of a dialogue that must go on to in- 
clude the input of, among others, law enforcement at the Federal, 
state and local level, private industry stakeholders across the com- 
plex network of networks that is modern communications, and aca- 
demic experts on technology, privacy and Fourth Amendment 
issues. 

But today all of the Members of the Subcommittee can begin this 
inquiry through a dialogue that raises these issues with this distin- 
guished panel of witnesses. Today we can begin the work of making 
ECPA work for our time and for all concerned. This is an enormous 
responsibility, and this Subcommittee needs everyone’s help to get 
it right. As such, all of us sit on this panel at least in part as stu- 
dents today. 

I thank you in advance for what you will teach us. 

As for myself, some of the questions I propose to the class are 
how have changes in the Internet made it difficult for private in- 
dustry to determine its obligations under Title II of ECPA, the 
Stored Communications Act? How do current advances in location 
technology test traditional standards of the ECPA of 1986? 

More generally, in what ways have these and other technologies 
potentially subverted one of the original and central goals of ECPA, 
which was to preserve “a fair balance between the privacy expecta- 
tions of citizens and the legitimate needs of law enforcement?” If 
we are out of balance, what concepts should guide reform? I know 
my distinguished colleagues will have other questions. 

Finally, I would like to observe that we are aware that privacy 
advocates and members of industry have worked together in an im- 
pressive common effort to derive and propose some common prin- 
ciples that should guide our inquiry on ECPA reform. I look for- 
ward to hearing them articulated by our witnesses here in person. 

It is my hope that we on this Subcommittee can emulate your 
example and come together in a bipartisan spirit as we forge ECPA 
reform legislation that will put needed reforms in place, hopefully 
this year. I welcome our witnesses, and I look forward to your testi- 
mony. 

With that, I yield back. And I will now recognize for an opening 
statement the distinguished Ranking Member of the Subcommittee. 

Mr. Sensenbrenner. Thank you very much, Mr. Chairman. 

The purpose of today’s hearing is to examine the need to update 
the Electronic Communications Privacy Act of 1986. Today’s hear- 
ing is a result of calls by a coalition called the Digital Due Process 
to examine how far apart technology and the law may have become 
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and to see if reforms are necessary to keep the law current with 
constantly evolving technology. 

The genesis of ECPA in 1986 was a needed response to the emer- 
gence and rapid development of wireless communications services 
and electronic communications of the digital era. At that time e- 
mail, cordless phones and pagers were by today’s standards in their 
infancy, and as these devices have become smaller, cheaper and 
more sophisticated, we have embraced them more and more in our 
everyday lives. 

The evolution of the digital age has given us devices and capa- 
bilities that have created conveniences for society and efficiencies 
for commerce. But they have also created conveniences and effi- 
ciency for criminals, as well as innovative new ways to commit 
crimes. Fortunately, new ways to detect and investigate crimes and 
criminals have also evolved. 

At the intersection of all these developments and capabilities are 
the privacy rights of the public, the economic interest in expanding 
commerce, the public policy of encouraging development of even 
better technologies, and the legitimate investigative needs of law 
enforcement professionals. 

While some of the issues we will hear about today have been 
heard before, this new initiative by the Digital Due Process coali- 
tion was officially launched on March 30th this year. There has 
been neither sufficient time to examine the concepts that are being 
advanced in any meaningful way, nor has there been time to hear 
from other stakeholders, including relevant members of the law en- 
forcement community. 

While the Digital Due Process coalition makes note that some of 
the principles have been previously embraced by the House Judici- 
ary Committee in 2000, it should be noted that just last year the 
full Committee voted down advancing the requirements for obtain- 
ing authority to utilize the pen register and for obtaining authority 
to utilize the trap and trace device. 

In fact, enhancing the standard for a pen register and trap and 
trace device drew strong opposition from the National District At- 
torneys Association, the National Sheriffs Association, the Fra- 
ternal Order of Police, and the International Association of Chiefs 
of Police, all of whom agree that the proposed changes to criminal 
pen register and trap and trace devices would unduly burden state 
and local law enforcement agencies, who regularly use these tools 
in state criminal investigations. 

There will no doubt be considerable debate on what may or may 
not need to be changed, but there will also be debate on how any 
needed change should be effected. I look forward to the witnesses 
today, and I look forward to having you start the debate. Let me 
say it won’t be the end of the debate. 

Mr. Nadler. In the interests of getting to our witnesses and 
mindful of our busy schedules, I ask that other Members submit 
their statements for the record. Without objection, all Members will 
have 5 legislative days to submit opening statements for inclusion 
in the record. Without objection, the Chair will be authorized to de- 
clare a recess of the hearing. 

We will now turn to our first panel of witnesses — in fact, our 
only panel of witnesses. 
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Jim Dempsey is vice president for public policy at the Center for 
Democracy and Technology, where he concentrates on privacy and 
government surveillance issues. Mr. Dempsey coordinates the Dig- 
ital Privacy and Security Working Group, a forum for companies, 
trade associations, think tanks and public interest advocates inter- 
ested in cyber security, government surveillance and related issues. 
He received his J.D. from Harvard Law School. Additionally, Mr. 
Dempsey was counsel to this Subcommittee under Chairman Don 
Edwards. He continues to carry on that work at CDT, and I am 
pleased to welcome him back. 

Albert Gidari is a partner at Perkins Coie — or Perkins Coie, I 
think, LLP, where he represents a broad range of companies on 
privacy, security, Internet, electronic surveillance and communica- 
tions law. His practice also includes both civil and criminal litiga- 
tion, investigations and regulatory compliance counseling. He is a 
graduate of the George Mason University School of Law. 

Grin Kerr is a law professor at George Washington University, 
who has written extensively on the Electronic Communications Pri- 
vacy Act. From 1998 to 2001, Mr. Kerr was a trial attorney at the 
computer crime and intellectual property section of the U.S. De- 
partment of Justice. He earned his JD magna cum laude from Har- 
vard Law School. 

Annmarie Levins is an associate general counsel at Microsoft 
Corporation. She manages the legal support for Microsoft’s U.S. 
and Canadian subsidiaries, directing the legal teams responsible 
for licensing and service transactions, anti-piracy investigations 
and enforcement, Internet safety work and other areas. Ms. Levins 
formerly served in the U.S. Attorney’s Office in Seattle and in the 
Southern District of New York. She graduated summa cum laude 
from the University of Maine School of Law. 

I am pleased to welcome all of you. Your written statements in 
their entirety will be made part of the record. I would ask each of 
you to summarize your testimony in 5 minutes or less. There is a 
light in front of you. When it turns yellow, that means you have 
a minute left. And I would advise you that the Chair is somewhat 
lax in — or latitude in that area maybe in interpreting the time 
limit. 

Before we begin, it is customary for the Committee to swear in 
its witnesses. 

Let the record reflect that the witnesses answered in the affirma- 
tive. 

You may be seated. 

And we will first — I now recognize Mr. Dempsey for 5 minutes. 

TESTIMONY OF JAMES X. DEMPSEY, CENTER FOR DEMOC- 
RACY AND TECHNOLOGY, VICE PRESIDENT FOR PUBLIC 

POLICY 

Mr. Dempsey. Chairman Nadler, Members of the Subcommittee, 
good afternoon. Thank you for holding this hearing. 

In setting rules for electronic surveillance, the courts and Con- 
gress have long sought to balance three critical interests — the indi- 
vidual’s right to privacy, the government’s need to obtain evidence 
to prevent and investigate crimes and respond to emergencies, and 
the corporate interest in clear rules that provide confidence to con- 
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sumers and that afford the companies the certainty they need to 
invest in the development of innovative new services. 

Today it is clear that the balance among those three interests 
has been lost. Powerful new technologies create and store more and 
more information about our daily lives. The protections provided by 
judicial precedent and statute have failed to keep pace. 

The major Federal statute setting standards for governmental ac- 
cess to communications, the Electronic Communications Privacy 
Act, or ECPA, was written in 1986, light years ago in Internet 
time. Among other key points, private information directly analo- 
gous to a telephone call or letter now falls outside of the traditional 
warrant standard when stored online. As a result, a major section 
of ECPA is probably unconstitutional in many applications. 

Every witness at this table today agrees that ECPA is outdated 
and needs to be reformed to provide strong privacy protections 
while also preserving the tools that law enforcement agencies need 
to act quickly to investigate crimes and respond to emergencies. 

For the past several years the Center for Democracy and Tech- 
nology, my organization, has been chairing a dialogue among lead- 
ing Internet companies, communications companies, privacy advo- 
cates, law professors and attorneys in private practice to discuss 
how ECPA was working and how it needed to be updated. We had 
as part of our group several former prosecutors and several alumni 
of the Computer Crime and Intellectual Property Section of the De- 
partment of Justice. 

In our discussions we were acutely aware of the needs of law en- 
forcement. We started with a list of over a dozen issues. Some of 
the privacy advocates and scholars wanted to go farther in 
strengthening the rules, but the former prosecutors emphasized the 
importance of preserving a sliding scale of authorities. We met 
monthly and then even weekly. 

Ultimately, we reached consensus on four principles — consistent 
application of the warrant standard to private communications and 
documents, consistent application of the warrant standard for loca- 
tion tracking of cell phones and other mobile devices, true judicial 
review of pen registers and trap and trace devices — and we can go 
into more detail about what pen register/trap and trace devices are 
and how they work — and no blanket use of subpoenas. 

Now, in some ways — many ways, actually — these proposals are 
modest. The proposals would preserve all current exceptions, in- 
cluding the emergency exception that permits disclosure of e-mail 
and other content without a warrant, even without a subpoena, in 
times of emergency. We do not propose any changes to FISA or to 
the national security letter provision in ECPA. 

Our proposals on e-mail and stored documents focus solely on 
compelled production from a service provider providing service to 
third parties. We do not propose any change to the rules governing 
how you get information directly from the subject of an investiga- 
tion. A company could not hide behind ECPA if the government is 
investigating that company. The rules permitting subpoenas served 
directly on targets of an investigation will remain unchanged. 

As Chairman Nadler indicated, the companies and organizations 
endorsing this principle call themselves the Digital Due Process co- 
alition. The coalition now includes major Internet and communica- 
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tions companies, major think tanks, and advocacy organizations 
ranging from the ACLU to Americans for Tax Reform and 
FreedomWorks. We are continuing to add new members each week. 

We see our principles as the first step — and I emphasize this — 
just an opening framework in a process that will require public dis- 
cussion, the engagement of other stakeholders, and most impor- 
tantly, dialogue with law enforcement agencies. We have already 
begun the process of discussing these principles with the Depart- 
ment of Justice, the FBI, and the National Association of Attorneys 
General. 

We intend to get very specific in follow-up discussions, address- 
ing concrete hypotheticals about how updates to the law would af- 
fect ongoing practices. 

Mr. Chairman, the coalition is not urging the introduction of leg- 
islation. Many details remain to be discussed before we get to the 
legislative phase. Other issues might be brought forward in addi- 
tion to the four that we have put on the table. We urge this Com- 
mittee and we are urging the Senate Judiciary Committee to move 
cautiously, to hold further hearings, as you already indicated you 
would, to listen to the views of law enforcement, of the telephone 
companies and other carriers. 

Professor Kerr in his testimony has proposed some excellent 
questions that need to be and can be addressed and resolved. Some 
of them, speaking for CDT, I have answers to. Others of them I 
don’t have answers to yet. But we agree they need to be addressed. 
Our coalition foresees a long-term process of hearings, dialogue and 
consensus building. Together, though, we can re-establish the bal- 
ance among those interests that were critical in 1986 — law enforce- 
ment, privacy and business. 

I look forward to your questions, Mr. Chairman and Members of 
the Subcommittee. Thank you. 

[The prepared statement of Mr. Dempsey follows:] 
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reopwot s 

Congrass condudad that 4 aoukl ba unmsa to wart for casas rasdang tfw status d that# 
amar^ng lachnoiotpas lo parcoiaia up through tha courts Aflar m. rt took dacadas lor 9m 
Suprama Court to axtand tha Fouih Amandmant to tha t aiapho n a Tha fladging wiraiass and 
Intamal mdustnas wantad to ba ada to atsura poianbal cuatomars that mar comrmmcabona 
wara pnvala Kay pobcymakars forasaw tha potanbai d thasa lachnoiogiai, in larma d bom 
aoonorrsc davdopmant arrd human mtaf a c b on Anothar Oimaraad would hava baan davaiiaiing 
to privacy and mnovabon To ramova tha doud d doubt about privacy and m ordar lo prowda a 
soimd footing for nvaaimant and r mov ab o n , Congrass adopiad via Bac tr om c Commuiscabont 
Privacy Act d 1966 

Tha statad god d ECPA was twdoid to prasarva *a far balanoa bahwan Vw privacy 
acpactabons d dbxana and Via tagwmda naads d taw anf o r ca mant* Housa Corrmaiaa on tha 
Judoary. EJaetrorsc Comtmmcabons Prrvaey Act d 1966 H Rap No 99^7. 99ei Cong 2d 
Saas 2. ai 19 ( 1966). and to support tha da ^io pmant and uaa d thaaa now lac h noiogw i and 
sarwoas aaaS Rap No 99-541, at S(nobng that lagalunoartainty ovar tha privacy status d 
naw forms d commurscabons ‘may irmacassaniy discourage potanbai customars from uamg 
tnnovdrva commimcabona •yslonis‘1 itwas VwimantdCorigrasstoancouragatha 
prdifarabon d naw commimcabona tachnologias. but rt racogmzad that oonaumars wodd not 
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Inict im WtfinoWoi i t irm pmacy d tiOM uimg Itwn mat not proMcMd Id . H R Rap No 
9»«47. MIS <1966) 

ECRA updawd ttia Wralap Act by ipaofywg ttM a juOaal warrant was raqurad for tha 
naar ca pben' of wiroWu (»mmmcauona and daia corrmuncaiiem - pm la. tha morwtonng of 
oalular cala and amaa at raal tana at thay waia baaig Panamittad ECPA Nao ipaaltad that 
Pia govamnrant naaOad a warrarp to oompai a aarvica prowdar to Aadoaa Pia conianl of amail 
p waa hoMng n afacborK sioraga - biA oNy up to a point In IMW, Congraaa aaawnad Piat 
uaara would accaaa Ptair amail accouiila panodcaPy and download Piair amal onto tiair local 
computara Tha aarvica prowdara would than dalaaa pia amaP from Pwa aarvara Congraaa 
Pioughi pm Pra longaat conoaivabla ama Pm any aanica prondar woiPd kaap amail woidd ba S 
mondra So Congraaa prowdad Pm a warrara waa raiyiarad only for accaaa le amail 180 daya 
oldorlaaa Altar 180 mya . Pia account waa aaaumadloba abandonad and Pta aarvica 
providar ooUd ba compaaod wan a maia aubpoana 10 turn ovar anypwig p aoP had 

ECPA alao aat aiandarda for uaa ol pan ragiatara and pap Pica davioac to mtarcapl d a la d 
numbar mfonnabon Tha Suprama Court had niad Pm Mlaphona uaara had no privacy aaaraai 
n pia dmrng (rParmaaon asaocmad wph Pmr phona caba Congraaa raactad by raqunng a 
coial ordar lor ava ailarcapban of laaang inter niat i on but P aal a vary low uanrfard. apacifying 
pm Pia courta 'ahad' approva m govammarl rariuaata carttyvi g Pm Pia aporm a i i cn Hialy lo ba 
obiimad d ratevam to an ongopig mwaabgation ECPA alao aumoruad uaa of aubpoanaa lo 
compal dddoatra of aubacnbar pfanaPying aitormaiMxi and slorad PanaacPorm recorda 

Ckum II Ttdiifiit) lift Mtpiml KM 

IMvla ECPA waa a forwardloolung abMula whan anacladai 1988. Mcfmology haa advancad 
dramapcady amoo 1988 and Pia aUPula haa boon outpacad ECPA haa net undargona a 
argnPtcarpiaviaionamoaPWBaanacaadai 1988-llgfPyaaraagoaitnlairmtinia ECPA today 
la a patchwork of conluaing aiandarda that hava baan n p arpratad Ptcona ial andy by Pia courta. 
craaang unoartamty for many aarvica providaia and law anforcamani agancMa aaiia Moraovar 
p pr o vid aa nadaquipa proaact i on for huga amointa of paraoim adommion 

Smca anaeanant of ECPA. Pwa hava baan fiaidamanut changaa ai oommuivcaaona 
tachnology and pia way paopN Ida P. ncludMig- 

• Email Moat Amancana hava ambracad amaP n Piav profaauoim and paraorm Inaa 
and uaa P daPy lor conhdanaal commcavcaPona ol a paraorm or buainaaa nalura 
Bacauaa ol tha mportanca of amaP and uramtad Noraga capabPPiaa avalabia today, 
moat paopla aaaa Pmr amaP mdallnitaly. |uat at Piay pranoualy tavad lactart and oPm 
corraipondanoa The dflaranea. of oouraa. la Pm P it eatiar to tava laarch and 
repiava dgpaf co mmum ca iiena Many of ua now have many yaara worth of aforad 
amal Moraovar. for many paopla much of am amaa a norod on Pia compuMra of 
aarvica providart ’ Howavar, ECPA providaa only waak prolactlon lor atoiad amail 
that la mora than 180 daya old, allowing govammantal accaaa wPhoul a warrant 


r msotoiroMi 
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MorMvvr, tti* JustiM Dopailmt^ii aryim lh«t •mall io«M tfM protection of ttio 
warrant tha Instant the osar sends It or opens It 

• IXolMle location: Can phones and moWe intsmsi davees oonstanfly ganaraie locaaon 
data that supports telh undsrtymg service and a QTOMng range o< locabon> based 
servicas of great convamanoa and valua The locabon data can be miaroapted m 
raaAma. and is ofian stored m easily acoessoia logs fias Location data can ravaei a 
parson's movemants. from which mfarences can ba drawn about activities and 
assooations Locabon data is augmeraed by vary precise GPS data bamg ndudad m a 
groweig manbar of dvnots ECPA dots not clearty specify ■ standard for 
govammant access to location information, and agents have been obtaining N 
without a warrant. Sea Ucfiael isSioff. The Snsch n Your Pocket Newsweek (Fsb 
t9. 2010) httti ■www newewsak CQm’>d'1824Q3 

• Cloud computing tncreeengiy. busir>esses and axkviduels are storng data ^ the 
doud* with poianbaty huge banafrtsmarms of cost locunty . flenbaty end the abrisy lo 
share and coiaboraia ECPA needs to etartfy that data stored and processed in the 
cloud has the same proteebons and startderds for law anforeamant acoass as data 
stored locally. 

• Social natworkmg On# of the most stAng dtvelopmanU of the past few years has 
been the rerfxarkatSa growSh of social networking Hundreds of millions of people now 
us# 9iase social madia sarwoas to share nformabon with Inands and at an aaamatrva 
ptatform for pmaea comm u r vrabn n i Even whan private records, photos ar>d ether 
materials are shared only with a couple of Irtands. ECPA may provide only weak 
protection. aHowlng governmental accesa without a warrant 

• Tracking and logging of online activity: For a vanaty of roaaona intamet lemca 
prondars. websites and othar onkne samvoe providars co b s et and log detafad 
mformabon about omoa acbviiy Vihile many Iniamal users have a parcapbon of 
anonymity, in fact much of what they do onlina can be persorvalty bed to them Virough 
toeir computer addresses and odier information dsctoaad and logged m die ordnary 
course of using the msamet ECPA autfionzes a subpoena to acqure carian types of 
subscriber idanfifyvig mtormabon However, govamment agencies have bew filing 
blanfcat subpoenas seeking to idantify all Individuals who visited a particular tda 
contalnlno lawful coolant or all users of a legltlmala online service 

In die face of these devatopmants, ECPA does not provida protection sueed to the way 
technology IS used today 

• Conflicting standards and illogical distinctions: ECPA sots rules for govemmantil 
access to amaf and stored docunenis that are not consistont A smgie email • subiect 
to nsApl# dffarant legal standards in its Mfecyde See Appande A. To t*e another 
axampia. a pnvata documarf stored on a desktop compuiar • prote ct ed by die wdfr am 
regurremeni of the Fourth AmandmanL but DOJ argues i^idar ECPA that the seme 
docunant stored with a servtca provtdar « not ba sttoteci to the wa r rari raqueamard 

• Unclear standards; ECPA does not dearly state the standard tor governmental access 
to locabon infor mati on In die past 5 years, no fewer than 30 federal opm«ena have been 
pubkahad on gov am mant acoesa to cab phone locabon mlor ma bon readkng a vanaty of 
ooncliAona 
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• Judkiil crttlciwii: Tlwcoufli navt rtpMladly cntcnd ECPAtarbMig corArting and 
drITioull 10 apoly Ttw Nnt< DrcuM « 2002 sad Itial inumM survadanco was 'a 
confusing and laicanaai waa of tfia law * 

• Constiluttocul uncartsimy; Tfia courts ara aquady conflKtad about cna aobkcabon of 
tia Fouilb Amandmant to now sarvKas and adormalian A distnct court n Otagon 
racarafy ofsnad that amail w not covarad by Via oonaatuMnal protacbons. vWula tha 
Ninit) Circut fias hald praosaly iha oppoaita Last yaar a pant! of lha Sotti Cnut tint 
njtad that amas was pmacsad by Via ConsMubon and than a largar panat of lha ooiat 
vaealad tha opawm on procadural groiaids. Mvmg tha istua up in Via ar 

Thit muky lagal landscapa doas not sarva Ow gonammant. customars or sarvica prondan 
waa Custornan ara. at bast, conhaad about wfiathar Viair data is sutiact to adaquata 
protacbons wfwn Via goyamman saaks accass Comparuaa ara uncartam of Viair 
rasponsasMias and unabla to assuia thair cmaomars Viat subacnbar data wd ba lanfonnly 
procaciad Tha arrant itala of tha taw doas not waa sarva law anforcarnani ntaratts aitfiar. as 
raaouftat ara waslad on Hbgabon ovar appbcable standards and proaaculions ara n /aopardy 
shotSd tha coirts ubmaialy nila on tha Consstuuonal quesoona Tha solulion is a claar sat of 
njtas lor im arVoroamart accass that wd safeguard and-usar privacy, provida clanty for sarvwa 
pnwidars and anabla law anforcarnani officiaH to conduct affacUva and affiaant rivesbgatioiis 

UK MtHal Hv PTwcn (MriinN 

For nearly three yaan. privacy advocates legal scholars and maior Iniamat and 
comminicaitona Samoa providan have been angagod ai a tbalo^ to eiplora how ECPA 
apphas to naw samoes and tachnologias Tha Cantar for Oamocracy & Tachnology chaiiad 
Ihosa dacussiona Eartiar Ova year, those discussions raactiad a maassona whan a divarsa 
coaiboo devatopad consensus around a core sat at pnnciplas for updating ECPA Tha 
pnnc i pta s are open for signatura and naw anobas are continuing to andorsa a Tha coakbon so 
far ncludas MX. AT&T. CCIA eBay Googla InM. Mierosofl. NatCoaMion and 
Saiatloico com as wall as Via ACLU. Via Etsctromc Frontiar Fouidalion. FiaadonVlMonis. 
Amancans tor Tax Ratorm. and the Compatiliva Emarpnsa Inabtula Sea Appandoi B tor a fid 
list of Coalition mambars 

Tha eoalibon dd not saeli to answer ai t)uestions or ooncarm about ECPA Though mambars 
of Via ooalil j on may rblfar on the spaobcs. and soma individual mambars waAd support 
additional changes aO agrasd on tour pnnaptas that provida a Iramawoik for oparvng a pubhc 
dalogua on the dsua This is wtial the coalition reached conaanaus on 

Uprfatfng The Efactronfc ConrimwWcatfona Privacy Act of f M6 

OverarcMnggoafandgufdlngprfncfpfa. To aanpaiy. cfanty. andursfyifie 
ECPA srandards provsdngatrorverpnvacypiofacbonatorcofflmuncaPonsand 
associafad data in response fo changes fn fschnotogy and new sarvroas and 
usage pavems. wMa pieserwig fhe fagaf tools necessary torgovemmanf 
agencies 10 entoroa me tnvs respond to emergency orcumstencea and profecT 
ffiapubSc 

These pimoplaa woiAd nof change, andani sulfeef to insciwisnfdalhvilions 
aicapoons. immunPaa and parmssions In ECPA 
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f A trtty mty iw>un an tfiMy covtnd by £CPA C piWKitrol 

tmt V ittclronc communctbon f»nK» or a pmwMr bf mnctb comtMiong 
oortoco) to (Atcioto ccrnnurtcabom ibal am not roo<t>y occojoiblo lo tho 
putae or*y rrab a aaoKlt wananl itsuad batatl on a attorning ol imbabla 
eauaa. laganbaaa ottha ago otltia eemmuneations Ifia maana or atatua et 
tttaoatoiagaoiitiapioviOafaaceaaalooiuaaoUhaeoinmuncationainaa 
neimal buamaaa epaiatiena 

2 Agmawmantalanbtywayacoaaa oimayragiaiaaootiaiaOanhtyto 
pmtda. oroapacbiialyorratroapacliyaly. loeabon mfomiation ragmting a 
moM* cammuncafions d*vK* only witti • uvananr ■»»■(> teMd on a 
attonmg at proOabla eauaa 

3 A govamnanlal anoiy may accaaa. or may lagiara a corarad anoty ro 
oromOa pioaoactnalyotmraalbma.iltaladnumbariiaonnalivi. amaHtoanil 
bomirlonnalionoroltmdataeijiranllycovaiadbythaaiAnoittylorpan 
ragalaia and trap and tracadavKaa only altar itiOaalranaw and a court 
IbKbng trial ttia gorammantat anoty tiaa mada a abonmig at taaat aa atrong aa 
ll» anoamg undar 2703(dt 

4 Wliaia Ilia Slaiad Cornnuneabona Act auUtoraaa a aubpoana to 
aaturn intomMon. ■ gouammanlai aniity may uaa auen aubpoanat only 
^ mtormabon latatad to a apaobad accounKa) or mitvidualta) AMnon- 
paibcutamadiaouaatamuatbaaubiaelleiutt^appmal 

InlwvniOanmtimotvandlnmyorMramatkt. lidMkotilyonbMMilorCOT Idonoitpuk 
tar ffi* coi*»o n or any Ot Ht aatar mamOart Howavar, I dram axtananaly on a backgroiaid 
mamo pra^arad Oy Ota ooaMion Tha tal conaanaua Mxl o( lha OOP rnamo it ontna al 
ratp /warn OgdaMuaprocaat org In aMOon. aw ata aidudaa a Wngaiy analyaia by J Backvunn 
Burr of WVmaiHala 

Tha orarartfing goal of ECPA raform tlwuM ba to balanca dw taw araorcamani intaraati of Bw 
gODarnmar a . taa privacy vaaratla of utata. and dw mlaiaaas of oonvnuracaaont tannea 
providara In cartauay aftoancy and puMK conIManca In adiMon aw taHovwng coneapt a 
afiould guda any ratarm 


• Tachnology and Plalform NautraWy A paiMuiar luraS of iraomwoon rtar aaampla aw 
oontara of pnvaw convnmcaiiona) anoiid raearva Uw tanw Wval of proaaciion 
ragardtasa of aw lecfinology pMI^ or butawaa modal utad to craata. commurveaw 
oraaorad 

• AsauraiKa of Law Enforcawant Accaas Tfw lafonn prmopl at woidd praaarva al of 
aw bufkkng blocAa of cnmnai maangaliont - tubpoanaa, oourt ordara pan ragwaar 
ordara. ttap and aaca ordara. and warrama - at wad aa aw tlidmg acaW dwi alovrt aw 
govammani to atcalaw at mvatngaiiva aftani 

• EqualKy Babwaan TrarwII and Sloraga Garwrady. a parbodar caiagory of ntaimabon 
tfioiad ba alTordad dw tama Wval of proleclion nfwlfwr a W ai Vaniit or n ttoiaga 
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• Comiiwncy Dw canMfH of oonvnmcauoni flvxM b* praMOM by • court ordir 
boMO on ptobablo cauM rsgardMi of bow oM tb* communicalion « attd wtiMhor « 
h« boon 'oconorr or not 

• SrmplicNy ond Clactty Al tubofioidon - oonKO provMort. uooro ond govommort 
nvootigaaors • doootvo ctoar and oonplo rulo* 

• Rocognmon of M Exiobng Eioopbons Ovor tio yoan, a vanoly of on c apbot u na»a 
boon wntMn otto Ow ECPA. oucb as provttions alowang ditdootaas to lha goaommort 
wMtioul eouti ordon in amergoncy COM! Tbooa pnnoploo ibeufd loavo al Ibooo 
oacapbons <1 placo 

Raltw g>an attampi a hil rawrao of ECPA. wtacb mgbi haao mmandod cxmooquancao » ■ 
boot to iocua |uM on tbo mot) importanl atuo* • (woo itial ara amoig dady undor Sio currant 
law accaoa to amail and odtar pnvala oommincabont storod in tha doud. accost to locabon 
•dormabon and no uso of subfoonas to obtain transactional data 

VM WmM ilN KKrai Neu II PTMIcr 

Slorad ConmunlcaUons aitd Prtvala Oocurnanls Tba list praioplt andorsad by tbo DOP 
c oitbo n IS not tbo govammont sbouM obtain a soaicb warrant basod on probablo causa bsf ora 
It can campol a sorvKa prowdor to ditdota a usor't pnvata cormrancabons or docunants 
storod onina 

• Ttbs pnnoblo apptoi to pnvata conwnuracabons doeumams and othar pnvata usar 
contanl slorad « or trantmntsd nrougb Iba Intamal 'ctouT tbo sama warrant standard 
not tba Consaiubon and Oa Atralap Act bava tradibonaay provtdad ter tbs pnvacy of our 
pbonacaM or tha physical Mm aa store n OK bonisf It a ntandad to ap^ to pnvata 
amats inttarS massagas taut massages word procassmg documants and 
spraadsbaats pbolot Inlamal taarcb quanat and pnvala posts mads ovor social 
natworhs It it not mtsndad to apply to malanals lavaafad to tbs pubic on no tntamsl 

• Tins ebanga mat fast propotad m bi-parbian Mgialalion mrodiicad at tggs by Sanators 
John Ashcroft and Panck Laahy It is consistart with racard Appeals Court daosions 
botiang that smails and SMS laM massagas slorad by commumcabons piovidsrt ara 
proiactad by tba Fourtb Amandmant and is also consmara widi tba laiasi lagal 
tcholarsbip on tba wsua 

Location Tracking Tba second OOP raform pnncipla t ta lat Ibal na govarnmant should obtain 
a search warrant based on probabta causa batora H can back proapscbvaly or ratioapacbvaly. 

Iba locahan of a cab phono or odrar mobSa conOTHaNcabont davKO 

• This prmopla addrastat Iba Iraabnani of Iba growing quanoiy and quality of data based 
on Via locabon of esa pbonat laplopa and olbar mobila davicas. wfilcb is ciarandy Via 
subiacl of c o nBic a ng coiai dsoaont, a proposes Iba conctusion raaebad by a maionty of 
(ta COKIS that a taarcb warrant • raqurad lor raal bma eaa pbona vadung and would 
apply Iba tamo standard to access to stored locabon data 

• Many datatt of Wt p ratople would have to ba worked through mchidng me dafnbon of 
location nfonnabon. tba aicspbons Ibal woiAd bs lacognoad <wftd< would carianly 
have to induds smargsney orcunstancas), and Iba rata b o n ibip batwaan raquasis for 

cdtr“" 
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locadon ntarniaMn and radunis tor olhir cM (Mai racordf and Hjbscnbw KlmMying 
nfonnaasn 

• A atarranl to moMt toalion ntomabon was fint pcopoMd n 1998 at pan of tha 
taparosan AtKoran-Laany M Tha Houaa Jitooary ConnnOta m 2000 raponad by a 
20-1 veta lagitlabon mat wo(Ad hava racMnO a Marrani to laai-ama Iradurig ol mobaa 
phonal Sm Appandu C to a oompanaan baiwaan bia OOP pnnaplai and aia 2000 
Houta Judtoary CommiMa voM 

A<xaaa to Tranaacbanal Data: Undar Itia DORt mad prmopla. batoa oMaawig tranaacMnal 
data ai raai tana about «iwi and wah whom an indtMdual oemmuncataa uaaig amat. antant 
maata^ng taxi maaaagrig ma Maphona or any ochar canvniaiicaliant tac h notogy tha 
govanvnam tnoiid damonairaia to a eoial that such data d ralavanl to an aumoruad eranmat 
amatbgabon 

• In 2001. ma law govamatg 'pan (agtitoi and trap & trace dancat'— tachnotogiai uaad 
to obtain tranaacbanal data ai raal tana about Mian and wm whom Habviduali 
communcato ovar ma phono— wat axpandad to atao aaow monaonng ol 
communcoboni mada orar ma Inlamat In paibciAar. ma data at laaua xtdudaa 
ntomaaonanwhortoMduataamail wtm. whondvidualalMrMm. who aidrvtoiata aand 
laid moiaagaa to. and tha Inlamal Protoool addraaaaa ol tha Intonal aaat aidiviouali 
«iaa 


• TIM pnnopia woiid laxMa ma law to rtmtci modam tachnotogy by attaHihing pidoal 
raviow ol lufvaaanca raquaati to mia data baiad on a factual shMing ol roaionaliia 
graundt to baiova mol ma mlonnabon loughl a laiavam and matanol to a cnma bamg 
aivaatigalad 

Ovarbroad Subpoarua FaiMy. batoa obtaawtg Iranaacbonal data about multipia unidantifiad 
uaaia ol commincationa or omar onlna aarwcaa whan Iryttg to track down a auapad tha 
gorar n mani ihotAd hrxt damonatrata to a coud mat tha <Ma la naadad to lit cnmaM 
awaabgatian 

• Thia pnnopia addratiai ma cvcumilanoa whan tha govammant uaat lubpoenaa to gat 
atlonnaban m biik about broad categonaa ol Maphona or Inlamal uiari. ralhar than 
aaalung tha racordi ol apacrlic ridviduali that an ralavant to an atvaatigalien For 
aiampla. thora hana baan reportad caiai of tx* raquatla to ntomabon about 
ovaryona mat vt i aid a pomciiar wab aitn on a porbiiilar day, or avaryona mol uaad ma 
intamat to tall producti at a particular lunttkcbon 

• Bacauto luch buh raquattt to ntomabon on ctaaaat ol mdanubad aidmduala 
xophcala lailqua privacy atlaraata. Itaa prtncpta appli aa a atandard raqiamg a ihowaig 
to tha court that tha bulk data a ralavani to an atvaibgabon 

VM lie Mtliad Me rrtceu PrtidiM wmm m M 

In tw of COT. mt ro co nwnonoioont ondoritO Dy tnt OigiUi Om Procost cooUtion aro 
quitt modod and would Mvo mmvnal advdod tmpaci on ardorcamant imaiagatwnt whia 
providng important pnvacy proiactwna 




Tlwy MXid nol an»a RSA or ffw NMIonal SKumy LMMr MiOwnty cf ECPA ( 18 US C 
2708) 

TTwy vtoiM not <ff*ct •mwgoncy dnclOMros Tho VMrotap Act. Vw StoraO 
Communcabont Act and tfia pan ravaMr.lrap and Iraca prowtiant an contaat 
amargancy aicapoona mat pannn mtarcapoona and larvica prondar iPaUoaura without 
a warrant (and avan without a aubpoana) Tha pnnciplas otfarad by lha OOP wuM not 
aflao any o( diaaa amargancy daUoaurat Tha warrant laq u camant tor accaai to 
location adorm a i i en racommandad by OOP woiad ha«a to ba auOiact to tanilar 
amargancy axeapbona Caaa 10 811 would ataoba axampaad Item iha warr a nt 
raqutfamam undar both tha conaani prtncaita and lira amargancy axcapaion 

Tha pimapiaa would not allact cybaraacunly Sannca prondara curmmty hava broad 
authority to mondor Srair own natworha lor cybaraaciaity pugwaaa and to dtaUoaa lo V«a 
govammani adonnatian about auapaOad adacAa or adniaiona Tha OOP 
rac o mmandabona woUd not altar ihaaa auBrortwa 

Thay woiid nava laro anpaci on chiM pornography. cMd abuaa and UMd aafaly 
mvaatigaliona Tha pnnoplaa wara carafully crallad lo preaarva Uly Via loola caracal lo 
Ihaaa inveatigabona Tn^ do not attar ar any way tha chid pornography raportng 
prorwona In tadaral and atata law Thay do nol allar vra axeapbona or oinar pamriaiioiia 
grantad ar Via ataluta lor prawdarg arformation lo lira govairrmant ar child abducbon 
caaaa Thay do nol altar any auVronty lhal aarvica providara hava lo monaor thav 
ayatama ter UiM abuaa imagaa and to dwcloaa audr anagaa to NCMEC or law 
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Tha racommandabona would not covar anyvwig puCacty dncloaad on tha Intamat 
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Via cuaiorrrara of thoaa aannca providara Nor do era racommandabona changa tha 
rulaa tor uaa et aubpoanaa aarvad on Via aarrdar or r a c a xairi 01 an amari or Via craalor 01 
a documarv Tha nVa appiicabla to poatal maa wiMd aiao apply to amM tha raopiani ol 
an amaa, tha era raopant ol a latlar. coiid volunlanly dtadoaa that amal to the 
govarnmam and coiAl ba compadad lo diacloaa a with a aubpoana Tha aandar of an 
amal ooUd ba compaiad to disciOM it waVr a mara aubpoana lo lira aama axtam Vial 
Vra aandar of a Naar can ba convabad lo dacteaa a ralaaiad copy If Vra craator of a 
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Via craator coiid ba ccinrpaiad to diacloaa whaltrar Via docunam waa alorad locaiy or n 
Via cloud 


Tha racommandabona praaarva Via IxiiUng blocKa' of enmnal xrvaabgabona Undar 
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mlarcapbon of aignaling and roubng arformabon Bated on analyaia of thra and oviar 
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data Viay may than hava proOaUa causa Id oMam a saarch wananl Tha DDP 
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U S 727. 73) <1077) Bark cusUmars have a privacy marast in lha contents ot Swr sale 
dspose bones raqumng a wa na nl torgovamroant access UnSedSfafasv Thamas No 00- 
0341, 1909 WL 72920 al *2 (Oth Or Ji4y S, 1089) Moraover. ttas piwacy nghl survnas even * 
lha sannca providar has nghit to amar the protedad space nr Inepacs Ota matanal Tenants In 
rented rasideneas and hotel rooms mamlan Foisth Amandmanl pnracy nghts In thee unes 
Stoimv. CaMoma. 370US 403, 489 (1904) The fact that landtonts and hotel managers may 
be ermiiad to enter the pramitas for maeitananca and oaiar pisposee does noitvng to demneh 
lha lananis expectations against toe govamment kt 

Tha VMretap Act racogruzas lha same pnnctpis It parmils sarnoa providars to conduct sarvica 
qualey mem to nng and to aiamna and Aactoea customer commmications for the pispote of 
prolacang ihe nghts and property ot tha sarvica provider ftona of Viasa aanne (tmimsh the 
pnvacy nght of the tawphone customer as aganat govammenlal imfusion. nor shocM the 
acbvitiat ot providars of tree hnamet amal and free doud compuong sarvroes dmailsh tha 
prfvacy nghts of users as against others 

•OKf HM bnn Nil NcKnt Utlcilloii 

Thera are oawr issues that may mare attamion SI addaon to those oovarad by die consensus 
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• Cmf ssgani access Several court daasions navs mads e dear mat ECPA does not 
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communcations sannca providars or providars of lamota compudng sarvica to the 
pubkc imdar these rulsigt such raqussts should be saivad on lha sender or raopare of 
die commurvcabons who can be oompeSad isider noimal dscovaty ness to s e fiar 
rsinave them and dsdosa them to the Migare or to give oonsare to the sannca providar 
to dsctosa diam iMsle these cases are a oonact raadeig of ECPA, and while they offer 
a dear path to dscovary ei most cases sarvica prondars conanua to spend 
considsrabla resources defandng against end lagani laquests. bnakng the issue one 
COUI1 at a lima Soma hava argued that ECPA eoiid be ctanfiad. whda perhaps 
mdudkig a safety valva procass (or casas si vkiich tha user whose communcations ara 
sought camol be foiaid 

• Reportng and transparency Tha Wratap Act raqueas emral pub k cati on ot stabsocs on 
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davKas or (or compultoiy dadosure of stored c o nsent 

• Tho Wiretap Ad only covers silarcepbon of oommuracalions It does not cover the use 
of video cameras si prrvaw pfacas Tha recant case m Manon County. PA In wlsch a 
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to diacataaoa fudhar mnovabon Aa a haa ai Via paal. Congraaa ahoiid updala tha privacy lawa 
lo praaarva via batanca balwaan gova m m a m powar and paraotial pnvacy. praaarvino law 
ardor ca mant loeta and gwaig eompamaa Via danty may daaarva Congrra ahoiAd eidand Via 
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wlueli lha govammani issues or servas as process 
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• Draft amaS stored on desktop computer • As an amad • bamg drafted on a person s 
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• Draft amail stored on gMal - However, il lha parson draltng Vie amaa uses a 'ctourf 
tervica such as Google s gMaa and stores a copy ol Vta draft amal w<h Google 
manding to srsth a and sand a latar, ECPA says Vial Googla can ba eompaPad to 
(ksdosa tha amaa with a mare subpoena IS U S C 2703(b) 

• Contatd ol amaa ai trarwl - After the parson wnang Vw amaa tats 'sand.* Via amaa is 
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portion at ECPA known at Vw Stored Commuracabons Act. IS U S C 270S(al At toast 
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• Comara oa opened amaa « storage wan senncs providar ISO days or toss - Tha Jusbca 
Oaparlnwnt argues Vwt an amai once opened by Vw intended racrpwni anmadelaly 
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warrant protacbon tar aS sent amaa ) Tha NtnOi Cacut hat letactad this argument Tha 
question ramams unsatttod ai the rest ol Vw country Tha Justwa I3epanmani raoantty 
sought opened amal in Colorado wthoul a vMirrant vVwn Vw sarvica providar r esist a d , 
Vw govammarv withdrew its request, which maarw ai alfact that outstoa ol Vw NaVh 
Cacud Vwra is one standard tor sarvica prowdars who comply wtoh subpoen a s and orw 
tor service prowdars who aittot on a wanani 

• Comani ol emai at storage w«h tervioa providar more than 180 days - ECPA spaoiws 
Vial tH amal after 180 days loses Vw wanani protacaon and a avaaabie with a mare 
subpoarw. issued without (ursoal approval 
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Mr. Nadler. Thank you. 

Mr. Gidari is recognized for 5 minutes. 

TESTIMONY OF ALBERT GIDARI, PERKINS COIE LLP 

Mr. Gidari. Thank you, Mr. Chairman, Committee Members. It 
is a pleasure to be here. 

Today I appear as an individual not representing any particular 
service providers or clients, but over 15 years I have had the pleas- 
ure of working with many in industry in their implementation and 
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compliance with ECPA and with the Communications Assistance 
for Law Enforcement Act. 

These service providers are caught in the middle every day. The 
best way to determine whether ECPA is out of balance is to take 
a look at what service providers do every day, and that is essen- 
tially guess. 

They try to understand what the law requires and implement it 
on a daily basis, but because the law relies so much on definitions, 
like an electronic communication service provider to the public or 
a remote computing service provider to the public, service providers 
have to understand how the law applies to them and the legal proc- 
ess they need to disclose user communications and information. If 
they don’t understand the bright line rule, then mistakes can be 
made, and those mistakes carry real consequences. 

We have cases, one heard just recently in the U.S. Supreme 
Court, where the service provider guessed wrong, thinking it was 
one thing when it was another, in disclosing communications on a 
lower standard than it should have and therefore being liable for 
that privacy breach. 

That is an untenable position for the men and women of service 
provider security offices, who every day deal with these requests 
from law enforcement and understand that those requests are 
valid, important, and sometimes life-threatening, but yet they also 
have user privacy concerns, and they must meet that imperative to 
protect user information. 

So it is an untenable position for them. They have a real identity 
crisis about what they are today when in a social networking envi- 
ronment, you could be just as easy an electric communications 
service provider as a remote computing service provider, and who 
knows under the definition what you are? It is a very difficult posi- 
tion. 

So we know it is out of balance, and we know clarity is impor- 
tant. As much as the academic debate about what the right stand- 
ard is interesting, it isn’t as interesting to service providers as hav- 
ing a clear rule. So if there is anything that can come out of this 
hearing and future hearings, clarity first and foremost. 

I would like to observe also with location-based services, for 15 
years I have worked with wireless carriers and their response to 
law enforcement requests to use what is a remarkably robust and 
important tool for law enforcement, tracking capabilities, the abil- 
ity to find a bad person or a kidnap victim in real time as quickly 
and as efficiently as possible. It is a great, great capability, but 
right now it is a muddle. 

Service providers haven’t got a clue what the right legal standard 
is, and within the same judicial district, you might have two mag- 
istrates who disagree and issue contrary orders for the standard 
upon which to disclose that information. And what information 
should be disclosed? How often? How frequently? It is not uncom- 
mon for law enforcement to ask for a phone to be pinged every 15 
minutes. 

In a lot of ways service providers’ security offices and their per- 
sonnel feel like they are the customer service of some computer or- 
ganization, having to respond to incessant and continuous requests. 
Now, they are important requests, but the fact is the law does not 
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state how often, how frequently, how rich, how detailed and to 
whom that information should be provided. The service providers 
simply need the clarity to understand what to do. 

Lastly, I would like to just observe that in ECPA there are some 
areas for improvement on transparency. It is difficult to make pol- 
icy if one doesn’t know how much information is collected. And 
from a personal perspective dealing with the volume of requests 
every day, this Committee and the public would do well to have 
clear numbers before them. 

The number of user records requested on a daily basis is astro- 
nomical. We can commend Google, who recently published through 
their transparency project, a list of statistics that show the number 
of requests that they receive on a regular basis. Those numbers are 
dwarfed by the number of requests that service providers like wire- 
less carriers receive every day. 

Just yesterday the administrator of the courts received the wire- 
tap report, and that annual report tells you the number of wiretaps 
conducted each year. For the past year, 2009, the numbers went up 
26 percent. There is some good in those numbers. The U.S. stacks 
up pretty well compared to the rest of the world. If all we had was 
2,600 total Federal and state wiretaps last year, somebody is doing 
something right and reviewing them carefully and not over using 
them. 

Unfortunately, we don’t know how many pen registers have been 
implemented. We don’t know how many location orders are imple- 
mented. And we certainly don’t know how many user records have 
been asked for, used, and how long those are retained. If we could 
do anything to improve ECPA and its transparency, the collection 
and publication of that data would go a long way to helping the 
Committee make decisions on good, solid policy. 

Thank you, and I hope to answer any questions you have. 

[The prepared statement of Mr. Gidari follows:] 
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Mr. Chairman and Members of the Subcommittee on the Constitution, Civil Rights, and Civil Liberties, my 
name is Albert Gidari and I am a partner at Perkins Coie LLP where, among other things, I represent 
service providers in responding to government requests for user information under the Electronic 
Communications Privacy Act of 1 986 ("ECPA"). Thank you for the opportunity to submit this testimony 
concerning the need for reform of ECPA to address new innovations such as social networking, cloud 
computing and location-based services. 

Let me say at the outset that these comments reflect my personal views and I am not speaking for or on 
behalf of any client or group of clients. Instead, I offer my personal observations on the state of ECPA, 
drawn from over 15 years of working with a wide variety of service providers, including wireless carriers, 
ISPs, and other online companies. Frankly, from a service provider's perspective, ECPA is broken. How 
the law applies to all of the new services, applications and technology available to users today is at best 
an educated guess. As a result, service providers are caught in the middle between law enforcement 
demands for ever more information and the legal imperative to protect the user’s privacy.^ 

ECPA reform should get service providers out of the middle. The privacy community and law 
enforcement may not agree on the legal standard that should apply in every case, but everyone agrees 
that service providers must have clear rules for disclosing user communications and information. The 
rules are not clear today and will be less clear tomorrow as innovation and new services arise that 
Congress did not contemplate in 1986 when ECPA was first passed. 

The Center for Democracy and Technology's Digital Due Process Principles^ (the "Principles") provide a 
sound basis for ECPA reform and would go a long way toward addressing what service providers want - 
bright line rules for disclosing user communications and information regardless of the characterization of 
the service, the type of technology employed, or whether the information is in transit, at rest on some 
computer server before reaching its intended destination or stored in the cloud. To demonstrate the need 
for clarity, these comments review how ECPA might or might not apply to a typical cloud computing 
application - the online editing and sharing of documents - and the uncertainty about the legal standards 
that apply to disclosure of the document and user annotations. Similarly, location based services are 
proliferating, but the legal standards for disclosing historical and prospective location information are a 
muddle at best and inconsistently applied at the state level. Finally, there are a number of steps 
Congress can take to improve transparency and process in ECPA to the benefit of user privacy and 
service provider operations. Enhanced reporting of the number of user records obtained each year, for 


^ For a detailed discussion of the serious conflicts that arise between service providers, law enforcement 
and users, see A. Gidari, Keynote Address: Companies Caught in the Middle, 41 Univ. of San Francisco 
L. Rev. 555 (Spring 2007). 

^ The Principles can be found at: http://www.digitajdueprocess.org/index ■cf1n?Qbiectid=99629E4Q-255 1- 
1 1 DF-8E02000C296BA1 63 . 
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example, would provide the grist for better policy determinations. Likewise, service providers should be 
able to recover their costs of compliance, and users should be notified of legal process unless doing so 
would have an adverse effect on an investigation. These improvements would go far to improve ECPA. 

What Rules Apply to Services in the Cloud? 

Consider how ECPA might apply to a cloud computing service that permits users to create, store, edit and 
share documents over the I nternet with others. The service is free to users, but it is advertising 
supported: that is, ads are served to users based on a mechanical scan of the content of the document 
for key words that advertisers use to display text ads. The service permits users to post documents and 
then invite others to view or edit them. Indeed, invited "collaborators" can annotate and edit the 
document in real time, seeing each others' changes as they are made. 

Here's how such a service might be used today. A college student can post her paper via a cloud 
computing service and invite her professor to view it online. The invitation is in the form of an email 
generated from within the application when the student opts to share it with others. The professor can 
then access the document simply by clicking on the link provided in the email and then proceed to 
annotate the student paper, asking questions like "what is the cite for this quote?" The student may 
respond in real time by adding, for example, a footnote citation and inserting a comment that the citation 
was inadvertently omitted. The professor can see her typing as the words appear on the screen in the 
document itself. If the paper was a joint student project, other students could follow the real time 
annotations and changes. If they were offline when the changes were made, they would receive an email 
notice that the paper has been revised with a link to go view it. 

There is substantial doubt as to whether or how ECPA applies to the service. Yet, the answer determines 
whether law enforcement will need probable cause and a search warrant to compel disclosure of the 
document and annotations or whether a mere subpoena issued without judicial review or even notice to 
the user will suffice. The privacy implications are palpable. If the service provider is a remote computing 
service to the public under ECPA, then law enforcement may compel the disclosure of the document and 
annotations with a grand jury or administrative subpoena with notice to the user unless such notice is 
delayed because it will have an adverse effect on the investigation.^ If the service provider is an 
electronic communication service provider to the public under ECPA, then the government must obtain a 
search warrant based on probable cause to compel disclosure of content in electronic storage for less 
than 1 80 days. Thus, under ECPA today, it is the characterization of the service provider and its service 


^ As a practical matter, the service provider has no way of knowing whether a user has been given notice 
of the subpoena. Law enforcement agents are not required to certify that notice was given nor are 
service providers required to obtain proof of notice before disclosing the information. 
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offering rather than the content of the document or communication that determines the degree of 
protection afforded to users. 

On the one hand, the student stores the document on the host's servers and uses the service's features 
to process her edits. The service seems to fit the ECPA definition of a remote computing service - “the 
provision to the public of computer storage or processing services by means of an electronic 
communications system.”'* But the sharing and collaboration features of the service have more in 
common with an electronic communication. Indeed, the purpose of posting the document is to provide 
others access to it and the service provides capabilities for users to communicate within the document 
itself through annotations or embedded comments. ECPA defines electronic communication to mean 
“any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in 
whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects 
interstate or foreign commerce. If the service provider is wrong about how to characterize itself or the 
service, user information may be disclosed on a lesser standard, and the service provider may be subject 
to civil suit. 

The risk is not theoretical. In Quon v. Arch Wireless Operating Co., Inc.,^ a case just argued before the 
Supreme Court on a different point of law, the service provider incorrectly decided that it was a remote 
computing service for purposes of disclosing stored text messages to its customer, the City of Ontario, 
California. The Court of Appeals for the Ninth Circuit decided that the service provider was in fact 
delivering an electronic communication service and therefore it needed the consent of the individual 
users, not the City-subscriber, to disclose the stored communications. As a consequence of guessing 
wrong, the service provider incurred liability. 

To further confuse matters, the Department of Justice {''DoJ'') takes the position that, notwithstanding the 
Quon opinion, a service provider may offer both a remote computing service and an electronic 
communications service simultaneously, or it may not be covered by ECPA at all. For our college 
student's document in the cloud, if she didn't share it with anyone and simply stored It with the service 
provider for her own use, presumably DoJ likely would view the service as a remote computing service. 
But because the service provider is permitted to access the content of the document for advertising 
purposes, DoJ would say that ECPA does not apply at all to the service. The document simply falls 
outside ECPA and a simple subpoena without any notice to the user would suffice to compel its 
disclosure. 


^ 18 U.S.C. §2711(2). 
§2510{12). 

®529 F.3d 892 (9th Cir. 2008). 
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It is unclear whether DoJ would agree that the collaboration and sharing features of the service that 
permit users to communicate with each other within the document itself constitute an electronic 
communication service. But even if it did, once the annotations were read by any other person authorized 
to view them, DoJ's position would be that ECPA no longer applies, just as it contends ECPA does not 
apply to opened email. ^ 

So what is a service provider to do? CDT's Principles would treat user generated and stored content the 
same regardless of the service, functionality or technology involved. The Principles would require the 
government to obtain a search warrant based on probable cause to compel disclosure of any content 
stored in the cloud. This approach has the virtue of assuring users that their information will be protected 
the same in the cloud as it would be on their own computer in their home. Service providers would have 
a clear rule that would be easy to follow, and litigation would be avoided. In practice, some service 
providers already take this position and any applications that permit users to share content are treated as 
electronic communication services. 

What ECPA Issues Arise with Location Based Services? 

Location information long has been a mainstay in criminal investigations, yet after almost two decades of 
acquisition and use of the data, the legal standard for obtaining historical location information records, 
current real time location, and prospective tracking remain unsettled. Whether probable cause is the 
appropriate standard for obtaining historical location information is before the Court of Appeals for the 
Third Circuit,^ but plainly, the government routinely acquires historical data using the lower standard in 
Section 2703(d) of Title 18. 

The legal standard for obtaining prospective location information and tracking data has been the subject 
of a "magistrates' revolt" for several years. Many federal magistrates have refused to permit prospective 
Iccaticn informaticn acquisiticn on less than a probable cause showing. Those magistrates who reject 
the lesser standard find that when the government uses a cell phone to track a user, it converts the phone 


' The DoJ steadfastly maintains that once an email has been opened, it is no longer in electronic storage 
and can be obtained with a subpoena. The Court of Appeals for the Ninth Circuit has rejected this 
interpretation, but DoJ disagrees and routinely moves to compel service providers who reside in the Ninth 
Circuit and store user data within that jurisdiction to disclose such information in districts outside the Ninth 
Circuit states. Just last month, DoJ moved to compel Yahoo to make such a disclosure in the United 
States District Court for the District of Colorado, but subsequently withdrew its demand. An amicus brief 
filed in the case can be found at: http://vvww. eff.org/fiies/fiienQd e/inreusaorder^ S/AmiciBrlefYahooEmails.pdf . 

® In re U.S. for an Order Directing a Provider of Electronic Communication Service to Disclose Records to 
the Government, 534 F. Supp. 2d 585 (W.D. Pa. 2008)(entire district rejects government request and 
requires probable cause for stored and prospective location), order affd by In re U.S. for an Order 
Directing a Provider of Electronic Communication Service to Disclose Records to the Government, 2008 
WL 4191511 (W.D. Pa. Sep. 10, 2008). 
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into a mobile tracking device, which is governed by Section 31 1 7 of Title 1 8 and which, pursuant to 
Federal Rule of Criminal Procedure 41 , requires a search warrant based on probable cause. 

But sometimes even in the same judicial district, some magistrates have ruled that the government is 
entitled to the information on a lesser showing. Because a single district Judge’s ruling does not establish 
binding precedent within a district,^ service providers must follow whichever form of order they receive. 
And because ECPA provides the floor for state legal process as well, the proper legal standard is more 
confusing when federal magistrates sitting in the same federal district in a state disagree - which 
standard should a state court Judge follow when issuing a tracking order? The result is that two identically 
situated users under investigation in the same state may have their location information acquired by 
federal agents on two different standards, and for state investigators, it essentially is a dealer's choice as 
to which standard is applied to get the tracking information. 

As interesting as the debate is over the proper legal standard for tracking, there are other legal issues not 
answered in ECPA today as well. The following issues are faced by service providers every day in 
response to government demands for acquisition and use of location Information: 

a. Duration and Periodicity of Order. Orders for location information seldom state the 
duration. If Rule 41 applied, the duration would be 10 days; but common practice is to 
require location information reporting for the duration of a pen register order, up to 60 
days. Further, how frequently location information is to be acquired during the course of 
a day remains unclear and whether it is to be limited to the beginning and end of a call, or 
autonomous registration. In other words, can law enforcement require reporting of 
location information every 15 minutes fora period of 60 days? 

b. Compensation to Service Provider. Under the government's hybrid theory, service 
providers should be entitled to cost recovery under both Sections 3124 and 2706 of Title 
18, but there is no clear reimbursement rule for Rule 41. 

c. Notice to Users. Notice is not prohibited for historical records obtained by a court order 
alone under Section 2703(d): it is prohibited for hybrid order; and it is unclear for Rule 41 . 

d. Target v. Associates (hub and spokes). Regardless of the legal standard applicable to 
the target phone, what standard applies to obtain the location information for all those 
with whom the target communicates? It is common in hybrid orders for the government 


^ See, e.g., ATSI Communs., Inc. v. Shear Fund, Ltd., 547 F.3d 109, 112 & n. 4 (2d Cir. 2008) (citing 
cases). 
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to seek the location of the community of interest - that is, the location of persons with 
whom the target communicates. 

e. Customer or User Consent to Track/disclose (implied or express). Can a user consent to 
tracking or disclosure of location information, and if so, whose consent is necessary - the 
user’s or subscriber’s? 

f. Preemption of less strict state law. To the extent a state law or rule permits location 
information to be disclosed on a lower than federal standard, ECPA preempts the state 
rule, but state law enforcement authorities disagree or seldom have heard of ECPA. 

g. GPS standard. The accepted rules of Knotts^^ and Karo^^ — tracking in a public place is 
permissible without a warrant; tracking in the home is not — are under attack in state 
courts as those rules have been applied to GPS.^^ Courts are now deciding that modern 
GPS is much more intrusive than the “bugs” used in Knotts and Karo, and such sensory 
enhancements may require reevaluation in light of the Supreme Court’s decision in 
Kyllo. GPS is now part and parcel of many third party applications as well -- what 
standard applies to GPS data in a third party's possession? 

h. Location information as content. In the case of many location-based services (“LBS”), 
some logging of a user’s location may occur and be retained. In many such applications, 
the user is conveying his or her location to another user essentially as a communication - 
"here I am.” LBS providers treat such electronic communications as content that cannot 
be disclosed under ECPA without complying with the requirements of Section 2703, 
which means that the characterization of the service provider as a remote computing 
service or an electronic communication service will determine the standard under which 
the location information is disclosed. 


^ United States v. Knotts, 460 U.S. 276 (1983) (Fourth Amendment does not prohibit tracking in a public 
place). 

United States v. Karo, 468 U.S. 705 (1984) (monitoring a beeper in a private home violates the rights of 
those justifiably expecting privacy there). 

See People v. Weaver, http:/7w'A/w,nvcourts.aov/ctapps/declsions/20Q9./mavQ9/53Qpn09.pdf (N.Y. Court 
of Appeals, May 12, 2009). 

Kyllo V United States, 533 U.S. 27 (2001) (use of thermal-imaging device to detect relative amounts of 
heat in the home is an unlawful search). 
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How Can Greater Transparency be Achieved in ECPA? 

Service providers are overwhelmed by the volume of governmental requests for user communications 
and information. There are over 10,000 federal, state and local governmental agencies with subpoena 
power. The volume of user information collected by government is astonishing, but largely unreported. 
Only Google publicly reports the number of governmental requests it receives.^'’ The number of requests 
Google receives is dwarfed by the number of requests wireless carriers receive each year. 

It is difficult to understand how sound policy can be made without knowing how much user information is 
collected. Take pen register information for example. DoJ is required to report the number of pen 
registers conducted each year to Congress. It has not done so with any regularity, but even if it had, 
the number of pen register orders implemented is not all that revealing. More important is the number of 
subscriber records obtained under the order. 

Pen register orders routinely authorize the investigating agent to compel disclosure of subscriber records 
for every person called or calling the target phone. A target can make hundreds of calls during a typical 
60-day pen register period. The pen register yields a list of numbers, and law enforcement agents 
routinely send that list to every carrier that might possibly provide service, demanding production of any 
records for any number that belongs to that carrier. Thus, a single pen register order can result in the 
disclosure of hundreds of individual customer phone records. Likewise, a single grand jury subpoena 
may list dozens of accounts for which subscriber information is sought. 

Account-based reporting would provide Congress and the public with the necessary information to judge 
whether the right balance has been struck as to the standards and ease with which information is 


See the Google Reporting Tool at http://www, qooqle.com/governmentrequests/ . 

See 18 U.S.C. § 3126. Reports concerning pen registers and trap and trace devices. 

The Attorney General shall annually report to Congress on the number of pen register orders and orders 
for trap and trace devices applied for by law enforcement agencies of the Department of Justice, which 
report shall include information concerning — 

(1) the period of interceptions authorized by the order, and the number and duration of any 
extensions of the order; 

(2) the offense specified in the order or application, or extension of an order; 

(3) the number of investigations involved; 

(4) the number and nature of the facilities affected; and 

(5) the identity, including district, of the applying investigative or law enforcement agency making 
the application and the person authorizing the order. 
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gathered. Congress has required as much for emergency disclosures, but again, no public reports are 
available as to whether DoJ has complied with this requirement either. 

Service providers are prohibited by ECPA from recovering the cost of producing phone records, but 
service providers otherwise may recover costs reasonably necessary for the production of other 
subscriber information. When records are "free,” such as with phone records, law enforcement over- 
consumes with abandon.^® Pen register print outs, for example, are served daily on carriers without 
regard to whether the prior day's output sought the same records. Phone record subpoenas often cover 
years rather than shorter, more relevant time periods. But when service providers charge for extracting 
data, such as log file searches, law enforcement requests are more tailored. Further, mandatory 
reimbursement would permit Congress to "follow the money," creating an audit trail of how much is spent 
in collecting user communications and information. 

Users, of course, generally are unaware of requests for their information. The law precludes notice of 
interception and pen register orders, but there is no prohibition on notice of grand jury or administrative 
subpoenas or other court orders. Yet, because ECPA does not require notice to the user prior to service 
provider disclosure to the government, most service providers do not give notice. 

The government has the ability to obtain an order to prevent notice in limited cases where such notice 
may yield an adverse result such as (a) endangering the life or physical safety of an individual; (b) flight 
from prosecution; (c) destruction of or tampering with evidence; (d) intimidation of potential witnesses; or 
(e) otherwise seriouslyjeopardizing an investigation or unduly delaying a trial. But more commonly, it 
simply requests nondisclosure {although some have argued that disclosure would be an obstruction of 
justice), and service providers generally comply. 

But the government has a means to ensure against an adverse effect on an investigation. Mandatory 
notice should be required in all other cases so that users (rather than service providers) can assert their 

See 18 U.S.C. § 2702(d) Reporting of emergency disclosures.— On an annual basis, the Attorney 
General shall submit to the Committee on the Judiciary of the House of Representatives and the 
Committee on the Judiciary of the Senate a report containing- 

fl) the number of accounts from which the Department of Justice has received voluntary 
disclosures under subsection (b){8); and 

(2) a summary of the basis for disclosure in those instances where— 

(A) voluntary disclosures under subsection (b)(8) were made to the Department of 
Justice; and 

(B) the investigation pertaining to those disclosures was closed without the filing of 
criminal charges. 

See 18 U.S.C. § 2706(c). 

No one knows how long the collected information is retained or which agencies have access to it. 

18 U.S.C. §2705. 
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rights. How would a service provider know that an otherwise routine-looking subpoena was directed at 
protected First Amendment rights for example? Service providers should not be in the middle of such 
disputes. 

Finally, service provider response to the enormous volume of government requests is an exercise in daily 
triage. Every agency believes its request should be handled first, its investigation is most important, and 
any other agency's needs can be given lower priority. It is not uncommon in pen register orders today to 
see a requirement to produce subscriber records "immediately" upon agency request or in an expedited 
fashion such as "no later than 3 days after demand." Rules of procedure typically allow only a short 
period of time in which to respond, and put the burden on the third party to move to quash or amend an 
unduly burdensome request. 

This "press for production" establishes all the wrong incentives. There should be no incentive to rush or 
not review legal process. Moreover, the squeaky wheel should not get the oil of advanced or quicker 
production by calling security office personnel and threatening contempt or cajoling early compliance. 

The service provider ought to have, and ECPA should provide, a priority rule of "first in, first out" for any 
request, and a uniform time frame for compliance of 30 days should be set for both federal and state 
governmental entities, absent an emergency. 

Conclusion 

Thank you for the opportunity to present these comments today in favor of ECPA reform. ECPA always 
has been a complicated statute and difficult for service providers to implement in the simplest of times. 
But as new services and innovations come along, the task of legal compliance has become more luck 
than art. Service providers want clarity and bright line rules. I believe that users, privacy advocates and 
law enforcement want the same thing. 

In closing, the Committee should understand one thing - service providers employ hundreds of security 
office professionals who each day confront ECPA problems of interpretation and implementation. These 
men and women know that their hesitation or delay may have life or death consequences. At the same 
time, they know that user privacy is important and an imperative. It is really these men and women who 
are caught in the middle and deserve our appreciation for the professional job they do every day. 

Similarly, law enforcement agents who seek user communications and information generally do so in a 
professional and courteous way. By far, the majority of requests are handled in this way and do not give 
rise to disputes. While the relationships between law enforcement and service providers may vary from 
provider to provider, in my experience, mutual respect and professionalism has been the rule. 
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Mr. Nadler. Thank you. 

And I now recognize Mr. Kerr for 5 minutes. 
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TESTIMONY OF ORIN S. KERR, PROFESSOR, THE GEORGE 
WASHINGTON UNIVERSITY LAW SCHOOL 

Mr. Kerr. Chairman Nadler and Members of the Subcommittee, 
thank you very much for the invitation to be here today. 

I think it might help to start with understanding why we are 
here. In traditional criminal investigations, the police do the work 
on their own. They walk the beat. They conduct their own searches. 
If they see evidence of a crime that they think they need, they take 
it. They don’t work with providers. They don’t work with anybody 
else. They make all the decisions on their own, sometimes pursuant 
to judicial review by a judge, but not with the work of any private 
party. 

The opposite is true with new online crimes, crimes committed 
using networks, whether it is the Internet, crimes committed using 
telephones, or simply a case where there happens to be evidence 
that is stored or available over some sort of a network, whether the 
Internet or the cell network. 

In all those cases, the government is working through the inter- 
mediary of the provider. There is a company, a company that runs 
a network that has data, and the real question, and the question 
that the Electronic Communications Privacy Act is designed to ad- 
dress, is what should the rules be when the government wants 
data that the network has, or when the network company, the 
third-party provider, wants to disclose information to the govern- 
ment? 

Now, that means that in order to understand the issues raised 
by ECPA, we need to think about what the data is and when does 
the government obtain it. So it may be helpful to think about two 
different kinds of data that the communications providers may 
have. 

One category is content of communication. That is the actual 
message that somebody may be sending or receiving over the net- 
work. It might be an e-mail. It might be a text message. In the case 
of a phone call, it would be the actual conversation that two people 
are having. 

And then there is lots of non-content information. The non-con- 
tent information is information that the network is generating and 
using in order to deliver the communication. Now, we can under- 
stand what kind of content the network might have, because we as 
users of the network are aware of that. If somebody sends you an 
e-mail, for example, you know that the e-mail is there. 

Non-content information is quite different. The amount of infor- 
mation that may exist depends on the technology, depends on the 
network. It may depend on the company, depends on business deci- 
sions that each company is making as to whether to keep records, 
whether to generate certain records. And that means there are lots 
of records available, and those records may vary dramatically, 
based on the company and based on the technology. So that is the 
issue of what the records are that are out there. 

The next thing you need to think about is when is the govern- 
ment collecting the information. So again, we can think of two 
basic categories. The one category would be when the government 
comes to the provider and says, “We are going to compel you to dis- 
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close certain information. We want you to act on our behalf as our 
agent, essentially, and provide certain information.” 

Maybe it will be stored content that the government wants. 
Maybe it will be stored non-content information that the govern- 
ment wants, these records. And other times the government will 
want a real-time surveillance to occur, sometimes of content in the 
case of wiretapping, sometimes in the case of non-content informa- 
tion, for example, where somebody’s cell phone is located or who 
somebody is e-mailing. So that is the case when the government is 
compelling information. 

And then the flipside of that is what if the provider comes across 
evidence and wants to disclose it to the government? Maybe the 
provider has uncovered child pornography. Maybe the provider has 
discovered some evidence of some other crime and wants to provide 
that information either to the government or even to a non-govern- 
ment group. What should those rules be? That is the question that 
the Electronic Communications Privacy Act was designed to ad- 
dress in 1986. 

Now, of course, in 2010, technology has changed dramatically. 
And I am very glad to hear that the Committee has planned more 
hearings, because I think what really we need to hear from is we 
need to hear from these providers. We need to find out what infor- 
mation do they have. 

What are their practices? What is the technology? How does it 
work? What kind of cell phone location information do different 
providers have? How close can they get to finding out the location 
of the user of the phone? How long do they keep their records? 

So we need to find out from the providers what are their prac- 
tices. And then we also need to find out from the government how 
do their investigations work? Those of us that watch a lot of tele- 
vision know we have seen a lot of Law and Order, and we know 
how those investigations work, or at least how they work on TV. 

But mostly we don’t know how these new online investigations 
work. We haven’t seen those investigations. Very few people have. 
So we need hearings to talk about not only the technology, but 
what are the kinds of cases that the government is working? How 
do these cases actually unfold? 

And I think it is only after getting that informed sense of what 
the technology is and how the investigations actually work that the 
Committee can think about what do these rules need to be like. 
How do these rules need to change? It has been a quarter century 
since ECPA was passed, and it is time to think about how the tech- 
nology has changed and how to balance the security interests and 
privacy interests, given the technology of today, not the technology 
of 1986. 

So I am very glad that the Committee is interested in these 
issues. Obviously, today’s hearing is just the tip of the iceberg. 
There is a lot that we can talk about. But I think starting off by 
recognizing that this problem exists, both in terms of the new tech- 
nologies and these new types of investigations, is a very important 
first start, and I am happy to be here. Thank you. 

[The prepared statement of Mr. Kerr follows:] 
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May 5, 2010 

Chairman Nadler, Ranking Member Sensenbrenner, and Members of the Subcommittee: 

My name is Orin Kerr, and I am a Professor at George Washington University 
Law School. 1 wish to thank the Members of the Committee for their willingness to delve 
into the complicated and yet extremely important privacy laws that Congress has created 
to protect Internet and telephone communications. T teach these statutes to my students 
as part of my law school course on Computer Crime Law, and my students are routinely 
surprised that the law here is so out-of-date. 

Refonns here are surely needed. The question is, what reforms are best? 1 have 
set out many of my own views in a law review article, A User's Guide to the Stored 
Communicalions Act and a Legislator's Guide to Amending It . published by the George 
Washington Law Review in 2004. But today's hearing has been prompted by a specific 
set of proposals offered by the Digital Due Process coalition. Given that, I thought it 
would be most help to list the proposals offered by the Digital Due Process coalition and 
then respond to them. 

Before I begin, I want to stress two points. First, I think it's helpful to approach 
reforming these statutes with a simple goal in mind: In my view, the goal of the 
Electronic Communications Privacy Act should be to try to match privacy rights in online 
and telephone- based investigations to the kinds of privacy rights we are familiar with in 
traditional physical investigations. Most of us have watched the TV show Law & Order, 
and we're familiar with both the powers that the government has to solve crimes as well 
as the limitations placed on those powers needed to protect and preserve our individual 
rights. Those powers and their limitations reflect a constitutional balance: It is the 
balance that the Supreme Court tries to make in interpreting the Fourth Amendment's 
prohibition on unreasonable searches and seizures. The Electronic Communications 
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Privacy Act is a statutory version of the Fourth Amendment for a new technological age: 
It tries to impose the same sort of balanced approach to the new investigations involving 
new network technologies that the Fourth Amendment strikes in the physical world. As a 
result, the goal of reforming the statute should be to maintain that balance as technology 
continues to change. 

Second, it would be extremely helpful for Congress to precede any amendments 
to these statutes with extensive hearings on the latest technologies and the latest 
government practices. The best way for Congress to update these statutes is to hold open 
hearings in which government officials can explain how they are using these new 
technologies and representatives from Internet service providers and phone companies 
can explain how their technologies work and how they cooperate with law enforcement. 
Without such hearings, we can only guess at the specifics of how different rules will 
actually impact real-world investigations. Informed rulemaking requires a thorough 
understanding of investigative practices and new technologies, and the best way to 
determine that would be through open Congressional hearings. 

With those general points made, let me now turn to the four specific proposals 
made by the Digital Due Process coalition: 


Proposal 1 

"A governmental entity may require an entity covered by ECPA (a 
provider of wire or electronic communication service or a provider of 
remote computing sendee) to disclose communications that are not readily 
accessible to the public only with a search warrant issued based on a 
showing of probable cause, regardless of the age of the communications, 
the means or status of their storage or the provider 's access to or use of 
the communications in its notmal business operations. " 

My reaction'. Generally favorable, but with two reservations. 

Explanation'. I agree that the distinctions found in the current statute malte no 
sense. Further, it is my view that the Fourth Amendment requires a warrant to be 
obtained in this setting, as I explained in a recent article. See Oiin Kerr, Any Ivins the 
Four th Amend me nt to the Internet: A General A p proach, 62 Stan . L. Rev. 100.5 (20 10). 
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As a result, any statutory rule that allows the government to obtain contents with less 
process than a warrant will be unconstitutional in many settings. 

I have two reservations. First, such a rule may not work when the government 
obtains records from corporations that are suspected of engaging in criminal activity. Tn 
the corporate crime setting, the government generally obtains records using subpoenas 
rather than warrants. The government compels the corporation to disclose its records 
under the power of the subpoena without first obtaining probable cause. Because the 
Electronic Communications Privacy Act applies to all providers of electronic 
communication service, however, a warrant requirement for all contents stored by entities 
covered by the statute might inadvertently block investigations into such corporate 
crimes. 

Consider how a warrant requirement might work in that setting. If a warrant is 
required for every compelled access to every e-mail account, the corporation under 
investigation will plausibly insist that each e-mail account of each corporate employee 
must be justified by its own search warrant and its own finding of probable cause. 
Corporations engaged in criminal activity could use this rule by keeping all their records 
stored in the form of e-mails: They could store the evidence of fraud in documents stored 
as attachments, using the protections of the Electronic Communications Privacy to hide 
evidence of fraud from investigators. The result would block many if not most 
investigations into corporate criminal activity. For example, my understanding is that the 
Securities and Exchange Commission (SEC) does not have criminal enforcement power 
and could not obtain a warrant to investigate securities violations under an all-warrant 
rule. The SEC relies on subpoenas, which would not be usable so long as the corporation 
under investigation provided e-mail to Its employees. 

To avoid this, Congress should consider a rule that permits the government to use 
its subpoena authority in the case of investigations into corporate crimes when obtaining 
records from a designated representative of the corporation. A similar rule may also be 
useful in the case of investigations into misconduct by government employees. The 
government employees may have no Fourth Amendment rights in their government- 
provided accounts, but investigators will nonetheless wish to compel the contents of a 
government employee's accounts from the agency that provides the service. If there are 
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no Fourth Amendment protections in that setting, a warrant should not be necessary and a 
subpoena should suffice. 


Proposal 2 

"A governmental entity may access, or may require a covered entity to 
provide, prospectively or rePospectively, location information regarding a 
mobile communications device only with a warrant issued based on a 
show ing of probable cause. " 

My reaction: I disagree in part. 

Explanation: T have two concerns about this proposal. First, it is vague. Second, 
it does not distinguish among different types of location information. 

My first difficulty with this proposal is that it is vague. The proposal would 
require probable cause, but probable cause ofwhaf! Is that probable cause to believe the 
person tracked is guilty of a crime? Or is it probable cause to believe the evidence of 
location information obtained would itself he evidence of crime? 

The difference is important. In the case of a search warrant, "probable cause" 
generally refers to probable cause to believe that the information to be obtained is itself 
evidence of a crime. But cell phone location infonnation will itself be evidence of crime 
only in specific kinds of cases. For example, such information normally will not be 
evidence of a crime if investigators want to obtain the present location of someone who 
committed a past crime. 

To see this, imagine the police have probable cause to arrest a criminal for a crime 
committed last week. The police want to locate the suspect in order to arrest him. In that 
case, the police will not have probable cause to believe that the location of the criminal's 
cell phone is itself evidence of a crime. The suspect's location a week after the crime 
occurred does not give the police any information indicating that the suspect did or did 
not commit the crime. But if the police have probable cause to arrest someone, and they 
know his cell-phone number, I would think the law should allow the government some 
way of locating the suspect pursuant to an appropriate court order. A requirement that 
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location information be obtainable only based on probable cause to believe that the 
location infomiation is itself evidence of a crime would not seem to allow that. 

My second concern with the proposal is that not all location information is created 
equal. The level of cause that should be required may depend on the resolution of that 
identity information. Location information that tells investigators only that a suspect is 
somewhere in Manhattan is quite different from location information that tells 
investigators that a suspect is in the far left corner of his bedroom. Before legislating in 
this area, I think the committee should hold a hearing focused on the technology. Just 
how much resolution does location information from cell phones actually reveal? How 
is technology likely to change? 

Such distinctions are important because mobile phone location can be determined 
in different ways. When investigators seek historical location data - that is, location data 
indicating where a phone was located at some point in the past when a crime occurred - 
the available information is likely to give only a very rough indication of location. In that 
case, the available information normally will consist only of indicating what cell towers 
were used to transmit calls to and from a phone in the past. So-called "cell site" 
information is generated because cell phones must communicate with local cell towers to 
transmit and receive calls: The Information as to what cell towers a particular phone is 
communicating with gives the cellular phone provider a rough idea of the location of the 
phone. 

Other techniques can be used to obtain more exact location information in "real 
time," that is, as a crime is actually occurring in the present. For example, GPS-enabled 
cell phones calculate location information by receiving signals transmitted from satellites 
in orbit. Cellular provide providers can then obtain the information received from those 
signals, and that infonnation generally is much more precise than historical cell-site data. 
Similarly, cell phone providers normally can obtain precise information on the physical 
location of a cell phone in real time using methods that measure the strength and timing 
of communications between a particular cell phone and multiple towers. My 
understanding is that different telephone providers have different abilities to perfonn this 
sort of precise location determination in real time. 
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Given the range of different techniques that could be used to determine the 
location of a mobile phone, and the different resolution of the different techniques, it 
would be very helpful to have a hearing on the latest types of technologies and 
government practices. Representatives of cell phone providers can give you the most 
accurate sense of how their networks work and what information they can provide. 
Government officials can testify as to exactly how they use cellular phone location 
infonnation. What are the cases? Is such infonnation used to monitor ongoing crimes, 
such as monitoring a known criminal as he commits an offense? Is it used to find 
individuals known to have committed past crimes? Is it used to try to prove that a 
suspect was in a location in which a crime occurred, to rule out a potential alibi? It is 
hard to know the right level of protection without knowing the kinds of cases to which 
the new rule will be applied. 


Proposal 3 


"A governmental entity may access, or may require a covered entity to 
provide, prospectively or in reed time, dialed numher information, email to 
and from information or other data cmrently covered hy the authority for 
pen registers and trap and trace devices only after judicial review and a 
court firuling that the governmental entity has made a showing at least as 
strong as the showing under 2703(d). " 


My reaction. I agree. 

Explanation: I agree that the standard for obtaining information under the pen 
register statute should require judicial review and should be raised to the specific and 
articulable facts standard used in 18 U.S.C. § 2703(d). However, I think the standard 
should not be higher than that. In particular. Congress should not require a warrant given 
that the kind of information here is non-content data rather than content data. 
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Proposal 4 

"Where the Stored Communications Act authorizes a subpoena to acquire 
information, a governmental entity may use such subpoenas only for 
information related to a specified account(s) or individualfs). All non- 
particidarized requests must be subject lo judicial approval. " 

My reaction: I'm certainly open to it, but it's very vague. 

Explanation: 1 have no objections to the idea of requiring judicial review for 
bulk requests, but f m not entirely sure what line the Digital Due Process coalition intends 
to draw with this proposal. What is the line between a "particularized" request and a 
"bulk" request? 

For example, imagine the government seeks records of the Internet accounts 
assigned to a specific Internet Protocol address during a one-week period. Is that a 
"particularized" request or a "bulk" request? On one hand, it doesn't seem to specify the 
account or individual, but on the other hand it will often be the case that only one account 
was associated with that IP address during a one-week period. Similarly, imagine the 
government submits 1,000 account names and obtains a single subpoena to gather the 
basic subscriber information for all 1,000 accounts. On one hand, that seems to be a bulk 
request. On the other hand, it specifies which individual accounts will be obtained. 

Greater clarity would be helpful to understand what the Digital Due Process 
coalition has in mind with this proposal. Further, additional hearings into the details of 
the investigations that prompted this proposal would be helpful. As I explained in the 
beginning of my testimony. Congress needs to be infonned about what is actually 
happening "on the ground" before it can make sensible rules to govern those practices. 
Open hearings on the use of bulk requests to obtain identify information would give 
Congress a better sense of what is actually happening. This could then be used to craft 
the appropriate response to best balance government needs and individual privacy 
interests. 
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Mr. Nadler. Well, thank you. 

And we will now recognize Ms. Levins for an opening statement. 

TESTIMONY OF ANNMARIE LEVINS, ASSOCIATE GENERAL 
COUNSEL, MICROSOFT CORPORATION 

Ms. Levins. Thank you, Mr. Chairman. 

Mr. Chairman, Members of the Subcommittee, my name is 
Annmarie Levins. I am an associate general counsel at Microsoft. 
I manage the legal support for Microsoft U.S. and Canadian sub- 
sidiaries. My team is responsible for contracts with our customers 
and partners for anti-piracy and digital crimes investigations, for 
Internet safety work and other areas. 

Before joining Microsoft in 1998, I had the privilege of serving 
as an Assistant United States Attorney in Seattle for 3 years and 
before that in the Southern District of New York for seven. During 
my 10 years as an A-USA, I worked with many smart, dedicated 
law enforcement officers investigating organized crime, racket- 
eering, narcotics and financial fraud cases. 

Thank you for this opportunity to share Microsoft’s views on the 
reform of ECPA. Microsoft is in a unique position to comment on 
the need for ECPA reform. We have offered Internet-based services 
for almost 15 years, dating back to MSN dial-up Internet service. 
We have offered Hotmail, our free Web-based mail service, since 
1997. 

Today we offer a full array of cloud computing services, including 
our hosted suite of Enterprise class e-mail, relationship manage- 
ment and collaboration tools, and our cloud-based storage and com- 
puting resources called Microsoft Azure. Our customers range from 
individuals to small and medium-sized businesses to some of the 
largest multi-national corporations in the world. 

From our vantage point, we have seen how the technologies gov- 
erned by ECPA have evolved over the years since its enactment 
and the tremendous potential these technologies represent for all 
of our customers. Today users can store documents, data and com- 
munications to central locations and access them anywhere in the 
world on a wide variety of devices, including laptops, phones and 
other forms of personal devices. 

Increasingly, Web-based accounts are used interchangeably with 
local storage devices. As these Internet-based resources become 
part of our everyday computing experiences, users may not even re- 
alize that the legal protection afforded their data and documents 
are not necessarily the same when they use third-party storage and 
processing capabilities in place of their own computers or networks. 

While there has been a fundamental shift in the amount of sen- 
sitive information that we now trust to third parties, the law has 
not shifted in parallel to preserve reasonable privacy interests. 
Quite simply, the basic technological assumptions upon which 
ECPA was based are outdated. The nature of the protection af- 
forded to stored electronic communications has not kept pace with 
the many innovations in online computing over the last 24 years. 

For example, ECPA extends greater privacy protections to e-mail 
storage for less than 180 days than e-mail stored for more than 180 
days. This distinction might have made sense in 1986 when e-mail 
services did not automatically retain messages for long periods of 
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time, but the distinctions no longer bear any relationship to reality. 
Hosted e-mail and other online services regularly store e-mails and 
other content for years, and users today reasonably expect these 
communications to remain just as private on day 181 as they were 
on day 179. 

Microsoft believes that now is the time to address these issues. 
We are on the verge of a transformative age in Internet cloud- 
based computing. Cloud computing services can increase effi- 
ciencies for business and government, lower IT costs, create energy 
savings, and spur innovative job-creating enterprises. They will en- 
able small and medium-size businesses, individual entrepreneurs 
and other innovators to tap into computing resources that pre- 
viously had only been available to the largest companies, and at a 
fraction of the cost. 

These capabilities can drive innovation, make America’s busi- 
nesses more competitive, and ultimately contribute to economic 
growth. But unless we are able to preserve and protect users’ pri- 
vacy interests to meet their reasonable expectations, adoption of 
cloud computing services may be limited, and the full potential of 
cloud computing may not be realized. 

Indeed, in a recent poll conducted for Microsoft, more than 90 
percent of the general population and senior business leaders said 
they were concerned about security and privacy when they con- 
templated storing their own data in the cloud. This is among the 
reasons why Microsoft joined the Digital Due Process coalition in 
the launch of a new initiative to update ECPA. 

We understand the importance of supporting lawful investiga- 
tions and spend significant resources every year to help make the 
online environment safer for all users. The Microsoft Digital 
Crimes Unit that I oversee was created specifically to assist law 
enforcement in pursuing digital crimes and to provide training to 
prosecutors and investigators around the world. 

In conclusion, Microsoft believes that the decisions about the 
right balance between users’ reasonable expectations of privacy and 
law enforcement’s legitimate interests should be made by Congress, 
with input from all key stakeholders, rather than as a result of un- 
anticipated shifts in technology. 

We view the Digital Due Process coalition proposal as a good 
starting point for Congress’ inquiry. Ultimately, smart, targeted re- 
forms of ECPA are essential to restore proper balance between pri- 
vacy and law enforcement in the digital age and will help cloud 
computing fully deliver on its promise. 

Thank you for the opportunity to testify today. On behalf of 
Microsoft, we appreciate this Committee’s leadership in addressing 
these important issues, and we look forward to working with you. 

[The prepared statement of Ms. Levins follows:] 
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Chairman Nadler, Ranking Member Sensenbrenner, and honorable Members 
of the Committee, my name is Annmarie Levins, and I am an Associate General Counsel at 
Microsoft Corporation. In that capacity, I manage the legal support for Microsoft's U.S. and 
Canadian subsidiaries, directing the legal teams responsible for licensing and services 
transactions, anti-piracy investigations and enforcement, Internet safety work, and other 
areas. One of the teams that I oversee is the Microsoft Digital Crimes Unit — which is 
devoted to working with law enforcement to fight digital crime. Before joining Microsoft in 
1998, 1 served in the U.S. Attorney’s Office in Seattle for three years as Co-Supervisor of the 
Financial Fraud Investigations Unit. Prior to that, I served for seven years as an Assistant 
U.S. Attorney in Southern District of New York with a focus on organized crime and 
racketeering investigations. 

Thank you for this opportunity to share Microsoft's views on reform of the 
Electronic Communications Privacy Act of 1986 (ECPA). We appreciate the initiative that 
this Committee has taken in holding this hearing, and we are committed to working 
collaboratively with you, consumer organizations, law enforcement agencies, and all 
Americans to ensure that users' privacy interests are adequately protected in the digital 
age. As Microsoft's General Counsel, Brad Smith, announced in a speech at the Brookings 
Institution in January, we support efforts to modernize ECPA and bring the statute into 
alignment with today's technological realities. 

ECPA was passed by Congress almost 25 years ago to establish rules that govern 
whether and how law enforcement can compel third party telecommunications and 
Internet service providers to disclose customer account information and stored 
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communications which they hold incident to their services. The law was originally 
designed to strike a balance between the legitimate needs of law enforcement, the burdens 
on service providers, and the public's reasonable expectations of privacy. 

Microsoft is in a unique position to comment on the need for ECPA reform. We have 
offered Internet-based services for almost 15 years, dating back to MSN's dialup Internet 
service. We have been offering Hotmail, our tree, web-based email service, since 1997. 
Today, we offer a full array of cloud computing services to individuals as well as to 
enterprises, including our hosted messaging and online collaboration solutions, Microsoft 
Business Productivity Online Suite, and our cloud-based storage and computing resources, 
Microsoft Azure. From our vantage point, we have seen the full arc of how online services 
have evolved over the time since EPCA was passed in 1986. 

It is our experience that the state of the law has not kept pace with developments in 
technology. Today, users can store documents, data, and communications to networked 
computers and connect to them from anywhere in the world using a wide variety of 
devices, including laptops, phones, and other personal electronic devices. Increasingly, 
Web-based accounts are used interchangeably with local storage devices. As these 
Internet-based resources become part of our everyday computing experiences, users may 
not even realize when they are using third party storage and processing capabilities. 
Accordingly, we believe users would be surprised to learn that the legal protections 
afforded their information will vary depending upon whether it is in the hands of a third 
party service provider at the moment the government seeks to obtain it. 
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Over the last 20 years, there has been a fundamental shift in the amount of sensitive 
information that we entrust to third parties, but the law has not shifted in kind to maintain 
the proper balance between the needs of the law enforcement and the public's reasonable 
expectations of privacy. The reason is that ECPA, the law that regulates whether and how 
the government can require third party Internet and telecommunications providers to 
disclose customer information and stored communications, relies on outdated notions of 
how individuals and businesses interact with information technology. 

Microsoft believes that now is a critical time to address these issues. We are on the 
cusp of a potentially transformative age of internet-based "cloud" computing. Cloud 
computing services can increase efficiencies for businesses, lower IT costs, create energy 
savings, and spur innovative job-creating businesses. However, unless users' privacy 
interests are preserved and protected to meet their reasonable expectations, adoption of 
these services — particularly by enterprises — may, unfortunately, be rather limited and the 
full potential of cloud computing may not be realized. 

This is among the many reasons why Microsoft has joined a broad coalition of 
advocacy groups, technology companies, and academics in the launch of a new initiative — 
the Digital Due Process Coalition. This Coalition is focused on updating ECPA to account for 
the profound changes in technology over the last two decades and to ensure that users' 
legitimate expectations of privacy are fully respected while also taking account of the needs 
of law enforcement. In advocating changes to ECPA, Microsoft in no way seeks to 
undermine the legitimate interests of law enforcement in obtaining access to electronic 
data in third party hands. Rather, this coalition's efforts are intended to open a dialogue 
with all interested stakeholders, including the government, so that we can restore the 


- 4 - 



49 


original balance struck by Congress when ECPA was passed in 1986 between the needs of 
law enforcement to conduct lawful criminal and civil investigations and the rights of our 
citizens to have their sensitive stored communications protected against unreasonable 
governmental searches and seizures. 

I. THE EMERGENCE OF CLOUD COMPUTING AND THE CHALLENGE OF PRIVACY 

INTERESTS IN THE CLOUD 

We have entered a new era in computing, one in which software programs running 
on users' own PCs and IT systems increasingly are complemented by Internet-based cloud 
computing services. Microsoft has invested heavily in building a cloud infrastructure and 
providing cloud services because we believe they offer enormous benefits to our 
customers. These include greater efficiencies for organizations, including governments, to 
customize and rapidly scale their IT systems for their particular needs, expanded access to 
computational capabilities previously available only to the very largest companies, better 
collaboration through "anytime, anywhere” access to IT for users located around the world, 
and new opportunities for innovation as developers move to this new computing paradigm. 

As a provider of cloud computing services, we are well situated to observe both 
these technological advances and user's choices and preferences for cloud services. Users 
care that their computing services and applications function as they expect and seamlessly 
interoperate with other computing services and applications. Increasingly, we are moving 
towards a world where users will focus less on whether their data and communications are 
stored and processed in a hard drive within the confines of their own networks or, instead, 
are accessed remotely via the Internet. We believe they do — and will continue to — care 
deeply about how their information is protected. In a recent poll conducted by Microsoft 
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and Penn, Schoen, and Berland, more than 90 percent of the general population and senior 
business leaders said that they were concerned about the security and privacy of personal 
data when they contemplated storing their own data in the cloud.' 

While we believe there are compelling reasons for customers to take advantage of 
cloud-based services that will enhance the productivity of their software, we also believe 
that the concerns reflected in this survey should not be ignored by policymakers. The use 
of cloud services invariably involves the processing and storage of data on equipment that 
is owned or controlled by third parties. In other contexts, such as stored bank records and 
telephone calling information, courts have held that the disclosure of such information to 
third parties (e.g., banks and telephone companies, respectively] as part of using their 
services may diminish a user's reasonable expectation of privacy vis-a-vis the government. 
While the Fourth Amendment law in this area is unsettled — particularly with regard to the 
contents of communications held by third party services providers — such uncertainty has 
the potential to undermine public confidence in the adoption of cloud computing services. 

In enacting ECPA almost 25 years ago. Congress moved to affirmatively address the 
uncertainty of the Fourth Amendment in connection with electronic communications 
services and computing. While the law has served us well for many years, continued 
advances in technology — and in particular the advent of widely available and low cost 
Internet-based cloud computing and storage services — call into question whether ECPA is 
adequate to meet our reasonable expectations of privacy today, much less in the future. 
This uncertainty not only may deter users from adopting cloud services and reaping their 

' See Microsoft Poll Fact Sheet, available at https://www.microsoft.com/ 
presspass/presskits/cloudpolicy/docs/PollFS.doc 
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benefits, but also may make businesses and other entities hesitate for fear that both their 
own information and that of their customers will enjoy less protection against government 
access than if they store the data locally. Put simply, the full benefits of cloud computing, 
which we believe will foster the development of innovative, job creating business models, 
will not be realized if users fear that data they create or store in the cloud is less private 
and secure than data they create or store locally. 

The absence of a clear legal framework also can impact the competitiveness of 
online services offered by U.S. companies. It has become clear to us that foreign users — 
and particularly foreign enterprises — may be reluctant to use online services offered by 
U.S. companies for fear that data processed or stored with such services will be subject to 
less or uncertain protection under American law. Although a multilateral framework for 
law enforcement access to data in the cloud is beyond the scope of this hearing, clarifying 
our own laws by amending ECPA would be an important step in the right direction. 

II. SUPPORT FOR ECPA REFORM 

To address the uncertainty in the current scope of Fourth Amendment protection in 
the online world and to give potential users of cloud computing confidence that they will 
not suffer a loss of privacy by moving data to the cloud, we urge Congress to reform ECPA. 
At its inception, ECPA was intended to create a balance among the rights of individuals, the 
burdens on service providers, and the legitimate needs of law enforcement with respect to 
data shared or stored in various types of electronic and telecommunications services. 

ECPA grants certain protections to user data when it is transferred across or stored in such 
systems and establishes rules that law enforcement must follow before they can access that 
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data. Depending on the type of customer information involved and the type of service 
being provided, the process law enforcement must obtain in order to require disclosure by 
a third party will range from a simple subpoena to a search warrant based upon probable 
cause. 

This framework made sense when it was adopted in 1986. However, in the 
intervening decades, the balance has shifted between the equities of users and law 
enforcement. This shift did not result from any policy decision by the Congress; rather, it 
resulted from technological advancements the effect of which has been to put more 
sensitive personal information of individuals within the reach of law enforcement tools 
that require a lower burden of proof 

Quite simply, the basic technological assumptions upon which the Act was based 
and the nature of the protection afforded to stored electronic communications have not 
kept pace with the many innovations in online computing over the last 25 years. For 
example, ECPA extends greater privacy protections to emails stored for less than 180 days 
than emails stored for more than 180 days. These distinctions might have made some 
sense in 1986, when email services did not automatically retain messages for long periods 
of time. But that distinction no longer bears any relationship to reality. Hosted email and 
other online services regularly store emails and gigabytes of other user-generated content 
for years, and users today reasonably expect these communications to remain just as 
private on day 181 as on day 179. 

Because ECPA has been overtaken by technological change, Microsoft supports the 


Digital Due Process Coalition's ("DDP Coalition"] efforts to modernize ECPA. In particular. 
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Microsoft supports changes that will ensure that individuals and businesses do not suffer a 
decrease in their level of privacy protection when they move data from on-premises 
computers to the cloud. 

In recommending these changes, Microsoft also recognizes the legitimate needs of 
government investigators in obtaining access to data in the cloud. We spend significant 
resources every year working with and training law enforcement officers, agents, and 
prosecutors at the federal, state, and local government level. The Digital Crimes Unit that 1 
oversee was created to assist law enforcement with its work and provides training to 
prosecutors and investigators around the world. We understand the importance of 
supporting lawful investigations. And, we remain committed to responding to emergency 
requests for assistance in matters where death or serious bodily injury are threatened even 
without being compelled to do so; the DDF Coalition's proposal would in no way threaten 
this cooperation. 

Microsoft is not seeking special privacy protection for data in the cloud. Rather, we 
support focused, targeted changes to ensure that users enjoy the same level of privacy 
protection over data they store in the cloud as they currently enjoy when they store data 
locally. It is true that some actions that government agencies can take today under ECPA to 
gain access to information in third party hands might no longer be possible under the 
changes proposed by the DDF Coalition. Nothing in the DDP's proposals would, however, 
limit the government's power to compel the production of information directly from its 
owner. Moreover, the changes would rectify important inconsistencies in how the law is 
applied to user data and communications and would seek to create a modern set of clear 
and balanced rules to regulate government access to private data and communications in 
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third party hands. Moreover, we think that decisions about where the right baiance iies 
shouid be made consciousiy by iawmakers after an open diaiogue about the issues rather 
than as a resuit of unanticipated shifts in technology. Microsoft hopes the DDP Coalition 
proposal will serve as a helpful starting point for that dialogue with all stakeholders, 
including law enforcement. 

III. CONCLUSION 

Updating America's privacy laws as they apply to the online environment is a 
worthy and crucial objective. Microsoft believes that ECPA can be reformed in such a way 
that consumers will feel confident in the privacy of their data stored in the cloud without 
compromising the legitimate interests of government agencies in obtaining access to 
information necessary to carry out their law enforcement responsibilities. By responsibly 
reforming ECPA, we can restore the balance between the rights of individuals, the 
obligations of service providers, and the needs of law enforcement that motivated Congress 
to pass ECPA in 1986. This will help cloud computing fully deliver on its promise of 
increased efficiency, cost savings, and innovation to governments, businesses, and 
individual users alike. 

Thank you for giving us the opportunity to testify today. We look forward to 
working with you on this important issue. 
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Mr. Nadler. Thank you. 

The witnesses having completed their initial statements, we will 
turn to questions. And I will begin by recognizing myself for 5 min- 
utes. 
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Mr. Dempsey, are any of the Digital Due Process principles in- 
tended to change a service provider’s ability to share information 
with law enforcement in an emergency? 

Mr. Dempsey. Absolutely not. We make it clear that there are 
emergency exceptions in the law right now, which permit disclosure 
of information without a warrant, without a subpoena, in emer- 
gency circumstances, and we would leave those untouched. 

Mr. Nadler. Thank you. 

Ms. Levins, you indicated in your testimony that ECPA relies on 
outdated notions of how individuals and businesses interact with 
information technology. I assume among other things you are talk- 
ing about — well, we know you are talking about cloud computing, 
because you mentioned it specifically. 

Can you tell us more about cloud computing and why this tech- 
nology is “transformative?” And what benefits does it offer to soci- 
ety? And how do we support such technological progress as we at- 
tempt to balance the interests of privacy and law enforcement? All 
in about 5 minutes. 

Ms. Levins. Thank you, Mr. Chairman. I would be happy to ad- 
dress that. 

Cloud computing is important, because it opens the door for ev- 
eryone to use the most powerful computer capabilities there are. It 
used to be that you couldn’t afford to buy that kind of computing 
capability and storage unless you were a big company, but now you 
can use your desktop, your laptop, and use storage facilities that 
are maintained by a third party to do that kind of computing and 
storage that was previously unavailable on your home network 

Mr. Nadler. Storage or storage and computing capacity? 

Ms. Levins. Both. 

Mr. Nadler. Both. 

Ms. Levins. Both. 

So that is the first part. I mean, and I think that that opens 
doors to all kinds of businesses to expand the way they do business 
in ways that weren’t even thinkable when ECPA was passed in 
1986. 

Mr. Nadler. And what do you think the implications for the de- 
velopment of cloud computing are if government access to e-mail 
content stored in the cloud continues to be subject to a legal stand- 
ard different from that applied to other forms of data storage? 

Ms. Levins. And I think that is a critical question, because what 
we found and what our poll showed is that people are very con- 
cerned that by putting data in the cloud, are they going to have 
the same level of privacy and security that they would have if they 
maintained it within their own four walls of their company or 
home. I think that they will be reluctant to move to the cloud and 
take advantage of this opportunity, if they aren’t assured of what 
the standard of that privacy is and it doesn’t meet their reasonable 
expectations. 

Mr. Nadler. So we have to make sure that there is a standard 
of privacy equal to what they would be on your own personal hard 
drive, or just a certainty of letting people know at some other level? 

Ms. Levins. Well, certainty is important, but I think in fact if 
you are talking about content, people expect that what they would 
have on their hard drive, in their personal hard drive, should be 
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protected in the same way. Put the other way, the information in 
the cloud should be protected in the same way that their 

Mr. Nadler. And to the same legal standard. 

Ms. Levins [continuing]. Hard drive would. And that is particu- 
larly true, I think, of corporations, I would guess. 

Mr. Nadler. Now, but the importance of maintaining privacy in 
the cloud is what you just said, but we have to maintain security 
in the cloud, too. How do you balance them? 

Ms. Levins. Well, I don’t think they are inconsistent. And Micro- 
soft, for example, has taken lots of steps to make sure that we have 
the best security that we can, and we are constantly working to- 
ward meeting the highest standards that are recognized in the in- 
dustry. 

We think one of the most important things that could happen in 
this area is to have greater transparency about the security prac- 
tices that companies offering cloud services are adopting and using. 
So it goes hand-in-hand with privacy. Users want to know that 
their information is safe, and they want to know that it is being 
secured and their privacy is being secured. 

Mr. Nadler. Thank you. 

Professor Gidari — Mr. Gidari — you indicated in your testimony 
with respect to location-based information that there has been a 
magistrate’s revolt for several years. Can you describe what you 
mean by this phrase and in what ways, if any, it has been fo- 
mented by the government’s interpretation of ECPA? 

Mr. Gidari. Yes, Mr. Chairman. 

Over the last 3 or 4 years, a number of magistrates have objected 
to automatically approving, as part of pen register orders, requests 
to disclose the location of a cell phone in real time prospectively on 
an ongoing basis. They objected to using the pen register standard 
alone or in combination with what is known as a specific and 
articulable facts order, or as the government calls it, a hybrid 
order, to authorize that disclosure. 

Other magistrates disagree and believe that the standard is ac- 
ceptable. But about three to one ratio, these magistrates have be- 
lieved that a probable cause standard is necessary to track and fol- 
low an individual. 

And that mini revolt, if you will, has resulted in very incon- 
sistent standards within judicial districts, as a magistrate sitting 
next to another magistrate could completely disagree, and have dis- 
agreed, issuing orders that have different standards. So one person 
might be tracked according to one standard, another one to a high- 
er standard. And then within the states themselves, the ECPA, of 
course, that is the floor. 

Mr. Nadler. But you would get that in any event. Even if we 
wrote a standard in law, a more specific standard, you would get 
judges disagreeing with that, and until it went up to the circuit or 
Supreme Court, you would have judges sitting next to each other 
issuing different decisions, no? 

Mr. Gidari. You certainly would, from a service providers’ per- 
spective. Which rule applies? Which order should pertain? What re- 
sponsibilities do they have to their users to object to that order? 
The rules for location information today just simply don’t state 
under 
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Mr. Nadler. They should state it more specifically. 

Mr. Gidari. Absolutely. 

Mr. Nadler. Mr. Dempsey, you look like you wanted to comment 
on that. 

Mr. Dempsey. I am just saying that right now you sort of have 
an open field, a green field — sort of no guidance at all. 

Mr. Nadler. So we need statutory guidance. 

Mr. Dempsey. The statute would — we would try to make it as 
specific as possible and precise as possible, but at least it would 
provide some context within which the courts would operate. 

Mr. Nadler. Okay. Thank you. 

My final question is to Professor Kerr. In some of your recent 
scholarship in applying the Fourth Amendment to the Internet, you 
talk about replacing the inside-outside distinction common to 
Fourth Amendment jurisprudence with the content-noncontent dis- 
tinction. 

Can you tell us what this means and how you believe it extends 
consistent application of the Fourth Amendment principle to cyber- 
space? And is the analogy perfect, or does it give rise to any nota- 
ble exceptions we should be aware of? 

Mr. I&RR. The basic idea here is when courts are considering 
how to apply the Fourth Amendment, which was created for a 
physical space, to a network environment, they should think about 
how to create a set of rules that tries to replicate how the Fourth 
Amendment applies in the physical world to this network space. 
And the basic idea is that the contents of some of these commu- 
nications, these actual messages, are the online equivalent of stuff 
that would happen inside and would be protected by the Fourth 
Amendment in the physical world. 

On the other hand, the non-content information that a network 
creates is essentially the online equivalent to transactional infor- 
mation that would have occurred outside in the physical world. 
Now, if you follow that idea, the basic idea is that networks are 
doing for us what we used to do in the physical world. Basically, 
the network is coming to us instead of us having to go out into the 
world. And the idea is it creates a rough parallel between how the 
Fourth Amendment should apply in the physical world and how 
the Fourth Amendment should apply in the Internet. 

Now, of course, it is just a Law Review article. We don’t know 
whether courts are ever going to follow this. And in fact, there is 
a Supreme Court case right now, Quon versus City of Ontario, in 
which the Supreme Court is trying to figure out for the first time 
how does the Fourth Amendment apply to text messages. I went 
to the oral argument, and the justices were as puzzled about this 
question as anyone could be. 

So we are just trying to figure out these issues, and the idea that 
content-noncontent distinction is just an initial first start to try to 
figure out how the Fourth Amendment should apply, and by anal- 
ogy, how the statute could be drafted to recognize the stronger pro- 
tection for content and for noncontent. 

Mr. Nadler. Thank you very much. 

My time has expired. I will now recognize the distinguished gen- 
tleman from North Carolina. 

Mr. Watt. Thank you, Mr. Chairman. 
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I think I will acknowledge at the outset how ill prepared techno- 
logically I feel to engage in this discussion, and ill prepared, yes. 
I feel like a Neanderthal in this area. So let me — I want to ask a 
couple of questions that — and then I just want somebody to give me 
some examples of the kinds of things that are going out there that 
we should be worried about, given the failure to update the statute. 
But let me talk about process first. 

Mr. Dempsey, you talked in your testimony about a long period 
of dialogue and consensus building being needed. 

Mr. Gidari, you seemed to suggest, although not explicitly, that 
clarity was more important than substance of where you get to, so 
I am trying to figure out how long we should be working on this 
before we get to some kind of legislative solution. Is clarity of a 
rule more important than getting the rule right, the new standard 
right? 

What kind of time are you talking about for dialogue and con- 
sensus building, Mr. Dempsey, and does that fit with your urgency 
for clarity, even if the clear standard is the wrong standard? 

Mr. Dempsey. Well, honestly, I think, you know, my own time- 
frame is if a year from now we could be here with that piece of leg- 
islation that would be, you know, a markup or something a year 
from now would be a good target. But I think it is going to take 
a while. We are not pushing, as I said, for introduction of legisla- 
tion immediately. 

I think we do have, and as we go through this process here, we 
do have some touchstones, and we can think about some of the 
analogies. They only take you so far, but they help. Take what we 
are talking about in terms of cloud computing. If you have a docu- 
ment on your computer in your office, or if you have that document 
printed out, that is protected by the Fourth Amendment — a per- 
son’s house, his papers and effects. I think nobody has any doubt 
that “papers” includes your laptop. 

If, however, as now — and by the way, if you 

Mr. Watt. Wait a minute, now. You are going to take my whole 
5 minutes talking about something that I am trying to find — ^you 
say a year from now, and I — let me give 

Mr. Dempsey. Okay, but I do want to come back to the question 
here of what are the guideposts we have that get us both the clar- 
ity and the substance. 

Mr. Watt. I am just talking about the timeframe now. I am not 
even talking about what the content is. Is a year from now too long 
from a clarity perspective, Mr. Gidari? 

Mr. Gidari. I think lawyers will find ambiguity in a No Smoking 
sign for the rest of our lives, but if that is the case, fix it, fix it 
right. If it takes a little longer to do that, we would rather have 
it right than wrong. But that doesn’t mean they are inconsistent. 

Mr. Watt. So the real question I am trying to get to is what risk 
do we run in this interim? And that is where I get to the second 
part of the question. I mean, what are the horror stories that are 
going on out there? I mean, give me a couple of concrete horror sto- 
ries that is going on in this interim while we are trying to either 
build consensus or get the standard right. 

Mr. Dempsey. Well, here is one example. Every one of us prob- 
ably has 5, 6, maybe 10 years worth of e-mail stored, either stored 
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on our local computer or often stored with a service provider like 
MSN or Gmail or another provider. 

Mr. Watt. That is somewhere in a cloud stored. 

Mr. Dempsey. That data is stored on a remote 

Mr. Watt. Which I had never heard of until today, but that is 
all right. 

Mr. Dempsey. We are talking here just about, you know, when 
people used to draw a picture with a computer over here and a 
computer over here and then a cloud in the middle, that Internet 
server is in the cloud. 

Mr. Watt. I get the concept. 

Mr. Dempsey. And that is where a lot of our data is going. 

The way ECPA now works, it says that that e-mail 180 days old 
or less is protected by the Fourth Amendment warrant standard. 
The minute it turns 180 days old, it is available with a mere sub- 
poena issued without judicial approval. 

The Justice Department takes the position that the minute that 
e-mail is opened at all — in fact, from the sender’s perspective, the 
minute it is sent, it loses its warrant protection. Fully protected 
passing over the wire, the minute it reaches — ^you finish sending it 
or the minute the user, the intended recipient, opens it and looks 
at it, it falls outside of the protection of the warrant. 

Same document, if you print it out, leave it on your desk, pro- 
tected. Same document, you put it in a box and you lock it in one 
of those storage lockers out in the suburbs, protected by the Fourth 
Amendment. But locked up in the cloud, not protected by that re- 
quirement. 

In the Ninth Circuit, the Ninth Circuit has rejected the Justice 
Department view and has said that a warrant is required. So what 
happens now is if the warrant is subject to the jurisdiction or the 
subpoena is subject to the jurisdiction of the Ninth Circuit, it is re- 
jected, and a warrant is required. If it is outside of that, it is a lit- 
tle unclear. 

In Colorado a month ago the Justice Department sought e-mail 
without a warrant. Yahoo said, “No, go get a warrant, even though 
we are outside of the Ninth Circuit.” The Justice Department 
backed down, said okay, withdrew the request. 

That is the kind of uncertainty you are getting. And there is 
overarching it all the possibility that these cases will percolate up 
through the courts and that the statute will be held unconstitu- 
tional, if the Justice Department pushes its position. 

Mr. Watt. Because it is too vague? 

Mr. Dempsey. No, because the warrant is not. Where the statute 
currently permits access without a warrant, if Professor Kerr is 
right that a warrant is required, that content is like a letter, it is 
like a phone call, it should be protected, so you do run that con- 
stitutional risk. 

I still agree with Mr. Gidari and my initial statement that, you 
know, we have lived with that ambiguity now for 5, 10 years. I just 
don’t see how we are going to push this forward. Given the law of 
unintended consequences, we want to make sure we don’t screw 
things up worse. 

Mr. Watt. Thank you. 

I am way over my time, so I will yield back. 
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Mr. Nadler. In that case, we will recognize the gentleman from 
Virginia for 5 minutes. 

Mr. Scott. Thank you, Mr. Chairman. 

Mr. Dempsey, it seems to me that a person doesn’t think any dif- 
ferent about an e-mail as saved in the cloud as on the computer. 
Why would the e-mail in the cloud he any different than the e-mail 
stored in that storage bin in the suburbs that you talked about? 

Mr. Dempsey. I don’t think it should, and the conclusion that we 
came to in our preliminary dialogue is that it shouldn’t. 

If you go back to 1986, I think what you end up with is this was 
a distinction based upon the way the technology worked in 1986. 
Storage was expensive, and service providers did not store e-mail. 
If you go back to the early days of AOL, you read that, you 
downloaded it, it was deleted from the computer of the service pro- 
vider. 

Congress thought 180 days would be the absolute conceivable 
outside limit, and after that it was sort of like abandoned property 
or a 

Mr. Scott. Well, once it gets into the cloud, can anybody get ac- 
cess to it? 

Mr. Dempsey. The 

Mr. Scott. I mean, beside — I mean, could I look into Representa- 
tive Watts’ cloud? 

Mr. Dempsey. No, no, no, no. It really is — the cloud actually is 
potentially more secure in some ways than local storage. You have 
the service providers of cloud storage capabilities making a lot of 
effort to secure that information. 

Mr. Scott. So this is being kept in a place that is secure from 
anybody else, and it is just I am the only one that can access my 
part of this cloud. 

Mr. Dempsey. You or the person to whom you give consent. 

Mr. Scott. And so I have an expectation that this is private in- 
formation. 

Mr. Dempsey. That is certainly the way the average person looks 
at it. That is one of these changes that has occurred, the technology 
changes that have occurred in the past 10 years that we are talk- 
ing about. 

Mr. Scott. Ms. Levins, when Microsoft has to respond to a lot 
of warrants and subpoenas, it costs money. Does the government 
incur any of the expense, or they just let you worry about it? 

Ms. Levins. Congressman Scott, that is not my area of expertise. 
I would have to get back to you with that information. I know my 
colleagues do know that. I don’t have that with me. 

Mr. Scott. Does anybody know who — what 

Mr. Gidari. The statute authorizes reimbursement for non-toll 
records, so phone companies give them away for free in large 
amounts, but electronic communication service providers are enti- 
tled to charge for them. Not all of them do. Many provide that serv- 
ice to law enforcement for free. Others charge a reasonable cost. 

Mr. Scott. But some information can be obtained fairly easily. 
Some takes a little complication where you have to program the 
computer and pay expenses to get the information, and some of it, 
I imagine, gets kind of expensive after a while. 

Mr. Gidari. That is right. 
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Mr. Scott. And you can charge for that expense? 

Mr. Gidari. That is correct. 

Mr. Scott. Does anybody have any concern, if we keep talking 
about how government does all this surveillance, that we might 
publicize their techniques and compromise investigations? 

Mr. Dempsey. I have always thought that we could have the dis- 
cussion without compromising techniques. I think we can talk at 
the level of specificity necessary to draft a clear statute, incorporate 
the Fourth Amendment principles, and do that in a way that 
doesn’t get into the technology at all. In fact, technology neutrality, 
I think, is one of the principles that we are trying to achieve here. 

Mr. Scott. Okay. 

And with the pining the cell phone, can anybody ping somebody 
else’s cell phone, or is that just something the company can do? 

Mr. Gidari. Something only the company can do. 

Mr. Scott. And I think there is an expectation that you are not 
being followed, because the company isn’t supposed to be following 
you around, and the only way the government can do it is — what 
does the government need to order the company to find out where 
you are? 

Mr. Gidari. Depends on which magistrate you visit, but at least 
a pen register order and a specific and articulable facts order com- 
bined, but in many jurisdictions, a probable cause order — a prob- 
able cause warrant issued under Rule 41. 

Mr. Scott. But for a government request, I should have an ex- 
pectation that I am not being pinged and shown up on somebody’s 
computer screen. Is that a reasonable expectation, or, you know, 
should 

Mr. Gidari. It is more than a reasonable expectation. 

Mr. Dempsey. And that is the way I think that carriers have de- 
signed their services. A number of carriers offer services whereby 
parents, for example, can — who are the subscribers to the service — 
can find out, for example, where their children are. But that is the 
case of the subscriber controlling their account. 

There are a variety of services now being offered where I can 
share my location with my friends. The companies who have de- 
signed those services have been very, very careful to design them 
in a way so that the user has control. To override that user control, 
the company has to be involved. The company has to be compelled 
to do something. 

And some of those services offer very, very precise location capa- 
bility, in a sense almost pinpointing a person on a map. A number 
of those companies have said that they will insist upon a warrant 
for disclosure of that information, and I think they have strong con- 
stitutional argument for that. But the statute, as we have said, it 
is completely unclear. 

Mr. Nadler. Thank you. 

I now recognize the gentleman from Georgia. 

Mr. Johnson. Thank you, Mr. Chairman. 

If I were someone’s wife, and I was out on the town running 
around with all kinds of males and females and engaged in doing 
my own thing pretty much, and I am wanting to keep all of that 
secret, I am certain that no one on the panel would want the hus- 
band of — or they would not want my husband to be able to go to 
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the phone company and say, “Look, I need to find out where my 
wife is, because I am going to kill her when I find her.” None of 
you all would want that to happen, would you? 

And so no one is saying anything, so I assume 

Mr. Dempsey. No. 

Mr. Johnson. Okay. All right. 

And now, what if I were a law enforcement officer — the husband. 
Or what if my husband was a law enforcement officer? Is there 
any — and only thing this law enforcement officer did was to go get 
a subpoena, which he carries around blank subpoenas, and comes 
to a cell phone provider and says, “Look, I am conducting an inves- 
tigation, and you must provide this information to me.” Should that 
law enforcement officer, or any other law enforcement officer, be 
able to obtain that information, the whereabouts of his wife? 

Mr. Gidari. They would be shown the door with that request, the 
door to the courthouse, where they would have to ask a judge to 
approve an order to get it. 

Mr. Johnson. But that may be true at your cell phone company, 
but it is not necessarily compelled by law that the cell phone com- 
pany refrain from producing those documents. Is that correct? 

Mr. Dempsey. Congressman, there is actually an interesting case 
that has emerged in the 11th Circuit recently, which dealt not with 
the location information, but instead with some e-mails. 

And the case clearly involved a certain amount of favoritism on 
the part of the prosecutor and the sheriff in that area, who at least 
allegedly were doing a favor for a friend in defending that friend 
against some civil litigation or some civil controversy, issued a sub- 
poena, like you say, served the subpoena on the service provider, 
and the service provider did turn over that e-mail. 

The case has gone up to the 11th Circuit, and unfortunately, this 
is one of the cases that I think went in the wrong direction. Pro- 
fessor Kerr has also written about it, criticizing the decision in this 
case, but the 11th Circuit held that there was zero constitutional 
privacy interest in that e-mail and that the sheriff and the pros- 
ecutor, in essence acting off on their own, had not violated any- 
body’s rights. 

Mr. Johnson. So, and the reason why it was not private is be- 
cause it was in the cloud somewhere? 

Mr. Dempsey. Yes, there was this notion that they had, which 
we think is wrong, that privacy was lost because of the use of that 
technology. 

Mr. Johnson. Yes. 

Is there anybody who would agree with the 11th Circuit decision 
in that case that is sitting on this panel? 

Yes, okay. All right. Well, you know, I have been sitting here all 
day trying to find something that someone on the panel would say 
that would incite me to issue forth with tough questions, but you 
all have deprived me of that option, and I am pretty much, I guess, 
singing to the choir when I say that I would hate to see either with 
content or with noncontent information requested by law enforce- 
ment, to use your analogy, Mr. Kerr — or not your analogy, but your 
terminology, I would hate to see a company turned into a agent for 
law enforcement at the expense of their customer. 
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To me the issues that we confront are easily dealt with by legis- 
latively extending the Fourth Amendment. And I do believe that 
there is an inherent right to privacy, which is implied in really the 
first nine amendments, but certainly the Fourth Amendment. All 
we have to do is just extend it to these new areas that have come 
to the fore since we have been embarked on this pursuit of intellec- 
tual supremacy, if you will. 

This is just human nature, but if we stick with the ideals of the 
founding fathers, particularly with respect to the Fourth Amend- 
ment, I think that our job should be easy. 

And I guess there could be an argument that we just leave each 
case up to the the courts to flesh out and ultimately to the U.S. 
Supreme Court, but I am afraid that we would — I am afraid to 
leave it up to the U.S. Supreme Court when we can put those 
things into legislation, which clears up the ambiguities that may 
arise. 

So I think this is a very important hearing. It bears upon the in- 
dividual rights that we in this country oftentimes take for granted, 
but they are what made America what it is. So thank you very 
much. 

And I notice that the Chairman is now thinking about — thinking 
pensively as we proceed. 

Mr. Nadler. And you yield back? 

Mr. Johnson. At this time, yes. 

Mr. Nadler. Then I will recognize the gentlelady from Cali- 
fornia. 

Ms. Chu. So, Mr. Dempsey, I would like to ask a question about 
the fate of an e-mail that I would send out, but under different cir- 
cumstances with regard to privacy and the Fourth Amendment. 

Let us just say I e-mail a friend, Sarah, and what would happen 
to the fate of that e-mail if she has read it versus hasn’t read it 
or with regard to if 8 months have passed versus tomorrow, wheth- 
er it is on a Gmail account or whether it is on her hard drive? Or 
what if I took the content of that information and put it in a letter 
and just mailed it? 

Mr. Dempsey. In the Appendix A to my testimony, I talk about 
this example, and if I was better at graphics, I would have tried 
to it do a chart that showed this, because it really does almost take 
a matrix to explain this. 

While the e-mail is in transit, moving over the wires, so to speak, 
or moving through the network, it can be intercepted only with a 
warrant, a wiretap order issued under the Wiretap Act. 

Once it reaches the inbox, so to speak, the computer of the serv- 
ice provider of Sarah, the intended recipient, it comes under the 
Stored Communications Act and at least until she opens it, that e- 
mail sitting in her e-mail box is protected again by the warrant re- 
quirement. 

After she reads it, under my reading of ECPA, for 180 days it 
remains protected by the warrant requirement. After 180 days, on 
day 181, it loses the warrant protection. So you go from warrant 
to non-warrant. 

An interesting example is if you are using Gmail, by the way, 
and you — or any other remote Web-based e-mail service — and you 
draft your e-mail and don’t send it, because you haven’t finished it. 
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you are going to come back the next and finish it and send it, while 
that e-mail is sitting on the server of Google, it is available regard- 
less of age. 

It is available with a mere subpoena. It is not protected by the 
warrant at all, because Google is at that time acting as a provider 
of remote computing services, not as a provider of electronic com- 
munication services. They are storing the e-mail. 

Once 180 days passes, then Google again reverts to its status as 
a remote computing service. It is available with the subpoena. The 
Justice Department argues that the copy of the e-mail that you 
might store, since you store all your outgoing e-mail, if it is stored 
in the cloud, loses its protection as soon as you send it, because it 
is no longer in transit in temporary storage incident to trans- 
mission. It is sort of your copy. 

Now if you had printed out a copy and kept a copy in your office, 
that is protected by the Fourth Amendment. If you have a copy on 
your desktop or laptop, that is protected by the Fourth Amend- 
ment. But the copy that is stored in your account, according to the 
Justice Department, from the minute you push “send,” that is not 
protected by the warrant. 

Mr. Nadler. Will the gentlelady yield for a moment? 

Ms. Chu. Yes. 

Mr. Nadler. And the Justice Department in effect is saying that 
because you pressed the “send” button, the Fourth Amendment 
doesn’t apply, because it is no longer your papers? 

Mr. Dempsey. It applies only — I think everybody would admit 
that it applies to the e-mail in transit. 

Mr. Nadler. But why doesn’t it apply continuing? 

Mr. Dempsey. They argue, I think, that it is — it is hard to articu- 
late their theory. It is a stored record, in their opinion, that has 
been entrusted to a third-party in such a way that you have sur- 
rendered your privacy interest in it. 

Now, I think the correct analogy is the storage locker analogy, 
in which a warrant is required to go into the storage locker. There 
are cases having — they analogize it to something like a check, a 
cancelled check which goes to the bank. 

Mr. Nadler. That is even more strange, when they say that it 
is not protected by the Fourth Amendment before you finished it. 

Mr. Dempsey. If you store it with some — if you leave it on some 
remote server. 

Mr. Nadler. I thank the gentlelady for yielding. 

Ms. Chu. And so if you have it on the hard drive, it is protected, 
but if it is in the cloud, it is not protected. And if it is a letter, I 
am presuming you are saying it is protected. 

Mr. Dempsey. The letter is interesting, because the letter is pro- 
tected, of course, in the hands of the post office. This goes back to 
1877, when the Supreme Court ruled that the Fourth Amendment 
does protect the letter moving through the mail system. The copy 
of the letter that I retained is protected. The copy of the letter that 
the recipient has is protected vis-a-vis the recipient. They can al- 
ways voluntarily turn it over, but to force them to disclose it would 
require a warrant or subpoena served directly on them. 

So you have got this crazy quilt that the average individual has 
absolutely no idea about. And increasingly, the services are being 
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designed in a way to make all this completely seamless and com- 
pletely non-apparent to the user. 

So we have these increasingly powerful Black Berries and 
handheld mobile Internet devices. We are constantly accessing in- 
formation remotely. Sometimes it is on the device. Sometimes it 
isn’t. Increasingly, it becomes even less clear where it is. And it is 
time to dispense with these technology-based, platform-based rules 
by which people do not lead their lives, people do not base their 
lives on these distinctions from 1986. 

Ms. Chu. Thank you. 

I yield back. 

Mr. Nadler. I thank the members of the panel, unless any mem- 
ber of the panel wants to say anything else. 

In which case without objection, all Members will have 5 legisla- 
tive days to submit to the Chair additional written questions for 
the witnesses, which we will forward and ask the witnesses to re- 
spond as promptly as they can so that their answers may be made 
part of the record. Without objection, all Members will have 5 legis- 
lative days to submit any additional materials for inclusion in the 
record. 

Mr. Dempsey, you wanted to make a statement. 

Mr. Dempsey. Yes, Mr. Chairman. Sorry, I did have one thing. 
I have a very good memo that was prepared by Becky Burr at the 
WilmerHale law firm, talking about some of these issues, and I 
would like to, with your permission, enter this into the record of 
the hearing as well. 

Mr. Nadler. Well, if you will give it to us, without objection, it 
will certainly be entered into the record, and I thank you. 

[The information referred to follows:] 
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The Electronic Communications Privacy Act of 1986: Principles for Reform 
J. Beckwith Burr- 


Background 

Congressional enactment of the Electronic Privacy Information Act (ECPA)- in 1986 
was a remarkably forward-looking effort to govern the compelled disclosure of electronic 
communications data to the government by balancing law enforcement needs with the personal 
privacy safeguards needed in the digital age.- As communications technology developed, and 
its contribution to the U.S. economy became clear. Congress also consciously endeavored to find 
a balance that would nurture communications technologies.- The wisdom of this attempt to 
balance privacy rights and law enforcement needs in an innovation-friendly environment is 
evident today: the Internet has evolved from a research network with a few thousand academic 
hosts into a global platform for communications, commerce, and civic activity used by four out 
of five adults in the United States on a daily basis.- Information technology has driven the U.S. 


- J, Bcckvviih Burr is a paruicr ai Wilmcr Culler Pickering Hale and Dorr, LLP, and a member of ihc finn’s 
Regiilatoiv' and Go^-emment Affairs Department, based in Washington, D.C. 

- The term “ECPA" is used in this paper to describe both Title \ of the Electronic Communications Privacy 
Acl, which proiccis wire, oral, and clcclronic coiiununicalions in transit, as well as Title 11, referred lo as Ihc Stored 
Communications Act. ^vhich protects communication held in electronic storage. 

- Tlic slated goal ofECPA was lo preserve “a fair balance between the privacy cxpcclalions of cili/ens and 
the legitimate needs of law enforcement.” House Committee on the Judiciarv, Electronic Communications Privacy 
Act of 1986, H, Rep, No. 99-647, 99th Cong. 2d Sess. 2. at 19 (1986). 

- in addition to the goals of privacy and law cnforccmcnL ECPA sought to adwance the goal ol' supporting 
the development and use of these new tccimologics and services. See S. R.cp. No. 99-541, al 5 (noting that legal 
micertainty over the pri'^’acy status of new^ forms of communications “may umiecessarily discourage potential 
customers from using innovative communications ^'stems”), It was the intent of Congress lo encourage the 
proliferation of new communications technologies, but it recognized that consumers would not trust new 
technologies if the privacy o!.' those using Uiein was not protected, hi: H.R. Rep. No, 99-647, at 19 (1986), 

- Petv Internet & American Life Project: Wireless Internet Use, at 8 (July 2009) , available at 
http ://vvww,pcvviTUcnicl,org/~/mcdia//Filcs/Rcporls/20()9/Wirclcss-lnlcmcl-Usc, pdf 
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economy in the past two decades,- and is expected to remain the engine of growth for years to 

7/ 

come.- 


As forward-looking as ECPA was in 1986, there is broad consensus that today’s 
technology has outpaced the Act. In 1983, Apple Computer introduced the “Lisa”— the first 
mass-marketed microcomputer with a graphical user interface. The Lisa cost $10,000 and 
featured 1 megabyte of RAM and a 5 megabyte hard drive.- Today, for $999, consumers can 
purchase a Mac Book with 2 gigabytes of memory, a 250 gigabyte hard drive, and built in 
wireless Internet access and communications technology.- In 1 995— nearly a decade after 
Congress enacted ECPA — only 9% of American adults used the Internet, compared to 81% 
today.— Prototype mobile telephones from the 1980s— the size and shape of “bricks”— are now 


- See Robert D. Atkinson & Andrew S. McKay, InforimiHoyi Technologic & Innovation Foundation, DigUat 
Prosperity: Understanding the Economic Benefits of the Information Technolog}- Revolution at 11-14 (March 2007) 
(“|T|he mid-1990s were a tiimiiig point that marked the move from the sluggish U.S, economy of the 1970s, 1980s, 
and early 1990s to tlie dynamo of the last decade... [T]here is a now a strong consensus among economists that the 
IT revolution was and continues to be responsible for the lion’s share of the post ‘95 rebound in productivity 
growTh.”). 

- See id. at 53 (“It is not clear how long IT will power growth, but it seems likely that for a[t] least the next 
decade or two IT will remain the engine of growth. The opportunities for continued diffusion and growtli of tlie IT 
system appear to be strong, Many sectors, such as health care, education, and government, have only begun to tap 
the benefits of IT-driven tfaiisfonnaiioii. Adoption rates of e-conunerce for most consumers, wliile rapid, are still 
relatively low^ And netv technologies (e.g., RFID, wireless broadband, voice recognition) keep emerging that will 
enable new applications. In short, wiiile die emerging digital economy has produced enormous benefits, the best is 
yet 10 come. The job of policymakers in developed and developing nations alike, is to ensure that the policies and 
programs they put in place spur digital transfonnalion so that all their citizens can fully bcncfil from robust rates of 
growth. ”), 

According to the Bureau of Labor Statistics, “Two of the fastest growing detailed occupations are in the 
computer specialist occupational group. Network systems and data communications analysts arc projected to be the 
second-fastest-growing occupation in the economy. Demand for these ivorkers will increase as organizations 
continue to upgrade their information teclinology’ capacity' and incorporate tlie newest tecluiologies. The growing 
reliance on wireless networks will result in a need for more network systems and data communications analysts as 
w^ell. Computer applications softw'are aigineers also are e?^ecled to grow rapidly from 2U08 to 2018, Expanding 
Internet technologies have spurred demand for these workers, who can develop Internet, intranet, and Web 
applications.'’ Occupational Outlook Handbook: 2010-201 1 Edition, available at 
http :/.Avww. bis. gov/oco,-oco2()()-^ .him . 

- Lisa/Lisa 2/Mac XL. available at http://wwvw.apple-hjsrorv.com/lisa htmI . 

- Apple — MacBook: Technical Specifications, available at http :// w'ww.ap plc.com,''!nacbook/spccs,html (last 
visited Feb 2010), 

- Harris Interactive. The Harris Poll, available at 

!ntp : .//vvww. iia rrisiTncraci,iv c ,coin/l iorr is_pon/in dcx .asD?PlD=973 . 
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collector’s items on eBay,— while in 2009 palm-sized smart phones— double as sophisticated 
computing platforms with the potential to bridge the digital divide.— Communications 
technology in the United States is evolving — and will continue to evolve — more rapidly and in 
more directions than we currently imagine. ECPA, which serv'ed us remarkably well for many 
years, is today unwieldy and unreliable as a law enforcement tool, immensely difficult forjudges 
and investigators to apply, confusing, costly, and full of legal uncertainty for communications 
and other technology tools and service providers, and an unpredictable guardian of our country’s 
long cherished privacy values. 

A coalition of communications, equipment, and online services, as well as members of 
the legal and advocacy communities— have come together over the last year with the goal of 
developing a set of principles to simplify, clarify, and unify ECPA— without constraining 
important law enforcement activities. The result of this effort is a set of consensus principles for 
updating ECPA that are designed to: 

• Establish consistent, predictable privacy protections for communications and other 
electronic information services used by Americans every day to handle their personal 
communications and operate their businesses — building user trust and supporting the 
full extension of Constitutional values to the networked world, while providing clarity for 
law enforcement and service providers. 

• Achieve technologically neutral solutions and avoid arbitrary distinctions that become 
hard to apply over time, inhibit innovation, and skew the Internet marketplace. 


— ' For example. Motorola’s D\'natax 8000x was the first cell phone to receive FCC approval (in 1983). It 

weighed 28 ounces and was 1 0 inches high, not including its flexible ''rubber duck" whip antenna. Available at 
iittp://w ww .retrowow.co.ukVretro col1ectib 1es/ 80s/motorol a , 8 000X.p hp. 

— For example, tlie Google Nexus One is less than 5 inches tall and w^eighs less than 5 ounces. Available at 
h rtp://www. google. co m /p lioiie/stai ic/en US-nexuson e _te c h_sp ecs Imnl. 

— According to the Pew Internet & American Life Project, lower levels of home broadband access coupled 
^vith louver levels of deslctop and laptop computers explains tiie traditional access gap bet^veen ^vhite and black 
Americans. But the gap in online engagement "largely dissipates" according to Pew, when access on handheld and 
mobile devices is considered: under those circimislanccs, "use among African Americans matches or exceeds that 
of white Americans. T wo measures of cngagcmcnl with the wireless online — accessing the 1 1 Internet on a liandlicld 
on the typical day or ever — shows that Africans Americans are 70% more likely to do tliis than white Americans.’’ 
The report concludes, "To an extent notably greater than that for whites, wireless access for African Americans 
scrt-cs as a substitute for a missing onramp to the Internet — ^thc home broadband connection." Pew Internet & 
American Life Project; Wireks.'s interne! Use, at 32-35 (July 2009), available at 

http://wwvv.pewmternet.Org/Wmedia//Fiics/Rcports/2009AVireless-internct-U3e. pdf (emphasis in original). 

— Coalilion members currcnily include; American Civil Liberties Union. AT&T, Ccnicr for Democracy and 
Technologv’, Electronic Frontier Foundation. Google, Microsoft, IBM. Net Coalition. Loopt. and Salesforce.com. 
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• Preserve the legal tools necessary to conduct criminal investigations and protect the 
public, including through preservation of the ECPA exceptions and exemptions relied 
upon by law enforcement today. 

The consensus principles reflect the working group’s commitment to change no more 
than strictly necessary to achieve these important goals . Implementation of the consensus 
principles would not affect surveillance or privacy law relating to national security, including the 
Foreign Intelligence Surveillance Act and the national security letter authority in ECPA. The 
principles would not deny the government information needed to conduct investigations, and no 
information would be rendered off limits to government investigators with appropriate process. 
Indeed, adoption of the principles would facilitate cooperation between business and law- 
enforcement by clarifying the rules under which the parties interact. The principles preserve all 
of the building blocks of criminal investigations — subpoenas, court orders, pen register/trap and 
trace orders, and warrants, and would carry forward ECPA’s sliding scale approach that ties the 
level of process required to the level of investigative intrusiveness. The recommended changes 
would not disturb fundamental elements of ECPA, including the distinctions between content, 
subscriber identifying information, and less sensitive transactional data. Finally, these 
recommendations preserve the exceptions for compelled disclosure that have been written into 
ECPA over the years, including those permitting emergency disclosures. 

Principles 

1 . A governmental entity may require an entity covered by ECPA (a provider of wire or 
electronic communication service or a provider of remote computing service) to disclose 
communications that are not readily accessible to the public only with a search warrant issued 
based on a showing of probable cause, regardless of the age of the communications, the means or 
status of their storage or the provider’s access to or use of the communications in its normal 
business operations. 

2. A governmental entity may access, or may require a covered entity to provide, 
prospectively or retrospectively, location information regarding a mobile communications device 
only with a warrant issued based on a showing of probable cause. 

3. A governmental entity may access, or may require a covered entity to provide, 
prospectively or in real time, dialed number information, email to and from information or other 
data currently covered by the authority for pen registers and trap and trace devices only after 
judicial review and a court finding that the governmental entity has made a showing at least as 
strong as the showing under 2703(d). 
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4. Where the Stored Communications Act authorizes a subpoena to acquire information, a 
governmental entity may use such subpoenas only for information related to a specified 
account(s) or individual(s). All non-particularized requests must be subject to judicial approval. 

Principle 1: Access to Content in Transit and in Storage 

Recommended Approach : Under the consensus principles, a governmental entity may 
require the provider of wire or electronic communications services to produce the non-public 
content of communications only with a search warrant issued based on a showing of probable 
cause, regardless of the age of the communication, the means or status of its storage or the 
providers access to or use of the content in its business operations. This change would bring all 
stored communications content under the same probable cause standard set forth in the Fourth 
Amendment, accessible to law enforcement with an ordinary warrant. For example, a showing 
of probable cause would be required to compel production of email, regardless of whether it is 
“opened” or not, and regardless of how old it is. The principle also would apply to documents 
and other private data stored by or on behalf of individuals on remote servers.— 

Need for Change : Americans have embraced email in their professional and personal 
lives and use it daily for confidential communications of a personal or business nature. Most 
people save these emails, just as they previously saved letters and other correspondence.— In 
fact, many Americans now have accumulated years' worth of email, much of which is stored on 
the computers of trusted third-party service providers. Likewise, businesses and individuals are 


— These changes are premised on the understanding that the definition of“electronic communications' is 
broad enough lo include such items as a draft document stored on a service such as Google Docs. We inlcrprei the 
current definition of remote computing ser\’ice as broad enough that it does not need to be amended to cover 
teclmologies such as cloud computing, which are expected to keep America competitive by reducing business costs, 
enhancing produclivih . and facililaling collaboration and innovation. 

— Companies often impose email retention policies that require employees to presen’e emails for se^’eral 
months before deletion. Contoural White Paper, How Long Should Email Ba Saved?, at 5 (2007), available at 
hiipi/Vwww.uniiacs.umd.cduAoard/lcaciiit' giTOHx/sprjngOWll.pdr ('■'Most companies come lo the conclusion that 
many messages ^lould be retained for a few years for business productivity purposes.”), 

Moreover, unlike a paper letter, often an email remains in existence long after the sender or recipient 
attempts to delete it. See Applied Discovery, at 3, available at 

] iu p://v\ vvvv2.acc/cliapters/b rogr am/dallas/docume nlreleniion.pdf . (“Even when a computer user intends to discard 
electronic data, the task is much easier said than done. The 'delete' key creates a false sense of security for many 
people. A deleted doemnent may no longer be available to the user, but copies remain in temporary' files, on backup 
tapes, and, in the case of email, in other recipients’ in-boxes.”) 
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now increasingly storing other data “in the cloud,”~ with huge benefits in terms of productivity, 
cost, security, flexibility and the ability to work with collaborators around the world.— This data 
includes highly personal information such as medical and financial data, digital calendars, 
photographs, diaries, and correspondence.— It also includes commercially sensitive, proprietary 
and trade secret materials, such as business plans, research and development, and commercial 
collaboration. 


The privacy rights of an individual with respect to all of this information, if stored on his 
or her hard-drive— — or indeed on a CD in a safe deposit box — would be fully protected by the 
warrant clause.— Under ECPA, however, a single email or electronic document could be subject 
to multiple legal standards in its lifecycle, from the moment it is being typed to the moment it is 
opened by the recipient or uploaded into a user’s “vault” in the cloud, where it might be subject 
to an entirely different standard.— A warrant is required to access the content of an email while 


— “Cloud computing is a general term for anything that involves delivering hosted services over tlie Internet. 
These services are broadly divided into three categories: Inlrasirucliire-as-a-Scrvice (laaS). Plalform-as-a-Serviee 
(PciaS) and Software-as-a-Senice (SaaS). The name cloud computing was inspired by the cloud symibol thaf s often 
used to represent tlie Internet in flow charts and diagrams.” Cloud Computing Definition, available at 
h T t p://searchcloud computin g .techtargei’ com/$Definition/0..sid?-01 _gciL'l:8788 l.00.htm]. 

— As an example of the poicniial savings from cloud computing, the Obaiua Administration’s Chief 
Information Officer. Vivek Kundra. “pointed to a revamping of the General Services Administration’s USA.gov 
site, Using a traditional approach to add scalability and flexibility', he said, it would have taken six months and cost 
the govcnmicni $2,5 million a year, Bui by lunhng to a cloud computing approach, the upgrade look just a day and 
cost $800,000 a year,” DanielTerdiman iVhite House Unveils Cloud Computing Initiative, cnet News, Sept, 15, 
2009, available http:/,''news,cnet.coni/S30i-13772 3-1035A479-52.html 

— These materials are. as one author has noted, “the same materials deemed Tiiglily personal’ by tlie Supreme 
Court, a sentiment later echoed by tlie Eighth Circuit to justify Fourth Amendment protection for schoolchildren 
despite their otherwise diminished expectations of privacy, [they] also mirror [ ] ilic list of materials that the 
Eleventh Circuit used as a basis for asserting that 'few places outside one’s home justify a greater expectation of 
privacy than does the briefcase, See David A, Couillard , Befogging the Cloud: Applying Fourth Amendment 
Principles to Evolving Privacy Expectations in Cloud Computing, 93 Minn. L. Rev. 2205, 2219-2220 (2009) 
(internal footnoics omillcd), 

— See, Trulockv. Freeh, 275 F.3d 391 (4th Cir. 2001'): United States v. Crist, No. l:07-cr-211. 2008 WL 
4682806 (M.D, Pa. Oct, 22, 2008), 

— See, e.g., Kyllo v. United States, 533 U.S. 27, 31 (2001) (“At the very core of the Fourth Amendment 
stands the right of a man to retreat into his own home and there be free from unreasonable govcnmicnial intrusion. 
With few exceptions, llic question wliclhcr a warrantless scardi of a home is reasonable and hence constitutional 
must be answered no.” (internal quotations and citations omitted)). 

— Robert Gcllnian. Privacy in the Clouds: Risks to Privacy and Confidentialitv fmni Cloud Computing, at 13 
(Feb. 23, 2009). "Dislinciioiis recogiiEed by ECPA include electronic mail in transit; electronic mail in storage for 
less tlian or more than 180 days; electronic mail in draft; opened vs. unopened electronic mail; electronic 
communication service; and remote computing service.... The precise characterization of an activity can make a 
significaiU difference to the proicclions aflordcd under ECPA.” Available at 

http :/7vvvvw. scrib d.com/dQC/i 280575 !./Priv acy-in-Cloud-Computing- Wo rld-Prv acv-C oiin cihFcb~ 20 09. 
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it is in storage waiting to be read by the recipient.— The nanosecond the email is opened by the 
recipient, however, it may lose that high standard of protection and become accessible with a 
subpoena, issued with no judicial intervention, with (concurrent or delayed) notice to the affected 
individual.— One Court of Appeals has rejected this distinction between opened and unopened 
communications for purposes of determining whether or not a communication is in “electronic 
storage,”— while in other areas of the country the question remains unsettled.— In all cases, the 
Justice Department believes law enforcement can compel disclosure of the content of the same 
email with a mere subpoena after the email is more than 180 days old.— Likewise, while as a 


18 U.S.C. § 2703(a). 

— 18 U.S.C. § 2703(b)(1)(B). Alternatively, it can be acquired witli prior notice to the subscriber based upon 
a court order supported by spccilic and articulable lacis demonstrating reasonable grounds to believe the 
communication is rele^- ant to an ongoiitg criminal investigation. Id. In either case, notice to the subscriber is 
required unless tlie go^-emment secures a warrant. Id. The Department of Justice Computer Crimes and Intellectual 
Property Section argues in the 2009 edition of its Computer Search and Seizure Manual, at 123-124: “As 
traditionally understood, 'electronic storage’ refers only to temporary storage made in the course of transmission by 
a service provider and to backups of such intermediate coimnunicatibiis made by the service provider to ensure 
system integrity'. It does not include post-transmission storage of communications. For example, email tliat has been 
received by a recipient’s service provider but has not yet been accessed by the recipient is in ‘electronic storage. ’ 

.Sbc Sliaye Jackson Games, Inc. v. United Stales Secret Senice, 36 F.3d 457. 461 (5lh Cir. 1 994). At that stage, the 
commnnication is stored as a temporary' and intemiediate measiu'e pending the recipient’s retrieval of the 
communication from the ser\'ice provider. Once tlie recipient retrieves tlie email, however, the communication 
reaches its final destination. If the recipient chooses to retain a copy of the accessed communication, tlie copy will 
not be in ‘temporary', inlcnncdiatc storage’ and is not stored incident to transmission. See Fraserv. Nalknmide 
Mut. Ins. Co.. 352 F.3d 107, 1 14 (3d Cir. 2003) (staling that email in post-transmission storage was not in 
“temporary', intemiediate storage”). By tlie same reasoning, if the sender of an email maintains a copy of the sent 
email, the copy w'ill not be in ‘electronic storage.' Messages posted to an electronic ‘bulletin board' or similar 
service are also not in ‘eleciroiiic storage’ because tlie website on which they are posted is the Imal destination for 
tlie information. See SnoM' v. DirecTV, inc.. 2005 WL 1226158, at *3 (M.D. Fla. Mav 9. 2005), adopted by 2005 
WL 1266435 (M.D. Fla. May 27. 2005), affdon other grounds. 450 F. 3d 13 14 ( 1 Itli Cir. 2006). 
http:'7\vww.cvbercrime-g6v7$snmnual./ssmanuai2009.;xlf 

— Theofelv. Farey Jones. 359 F.3d 1066 (9th Cir. 2004). 

— The Department of Justice Computer Crimes and Intellectual Property' Section Manual describes the 
holding of the Ninth Circuit in Theofet as follows: ‘'|T|lic court held that email messages were in ‘electronic 
storage’ regardless of 'whether tliey had been previously accessed, because it concluded tliat retrieved email fell 
witliin tlie backup portion of tlie definition of ‘electronic storage.’ Id. at 1075-1077. Altliough tlie Ninth Circuit did 
not dispute that previously accessed email was not in temporary-, intcnncdialc storage within the meaning of § 
2510(17)(A), it insisted that a previously accessed email message fell within the scope of the ‘backup’ portion of tlie 
definition of ‘electronic storage,’ because such a message “functions as a ‘backup’ for the user,” Id. at 1075, The 
discomfort of some coiuts -witii the Justice Department’s interpretation of tlie Stored Communications Act is evident 
in the Sixth Circuit’s (now vacated) ruling in iVarshakv. United Slates that "individuals maintain a reasonable 
expectation of privacy in emails that arc stored with, or sent or received through, a commercial ISP.” 532 F,3d 521, 
536-537 (6tli Cir. 2008). Specifically, the panel court upheld a preliminary injimction enjoining the government 
from “seizing the contents of a personal e-mail account” under 18 U.S.C. § 2703(d) unless the government provides 
prior notice to the e-mail user or shows that the c-mail user had no reasonable expectation of privacy vis-a-vis the c- 
mail service provider, 

— See DOJ. Electronic Surveillance Manual, at 25 (2(X)5), available at 

hu p :./Av\v\v. iusii c c.gov/criin iriai/ibia/d ocs/c l c c -sur -ma nual-pdr . 
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practical matter law enforcement must secure a warrant to access documents on a personal 
computer, under ECPA, a mere subpoena issued to a third party will suffice to access 
confidential documents stored remotely on the computers of a cloud computing service 
provider.— 

The different standards are the unanticipated byproduct of technology changes, and not a 
careful balancing of the needs of law enforcement and the privacy rights of individuals. Nor do 
they reflect a substantive difference in the nature of the information; rather they reflect the fact 
that ECPA was enacted in 1 986 — six years before Congress authorized commercial activity on 
the Internet,-— and seven years before the first web browser was introduced.— In 1986, very 
few Americans had e-mail accounts, and those who did typically downloaded email from a 
server onto their hard drives, and email was automatically and regularly overwritten by service 
providers grappling with storage constraints.— Even eight years later, when Congress enacted 
the Communications Assistance for Law Enforcement Act (CALEA),— the commercial Internet 


— 18 U.S.C. § 2703(b), While tlie govenimeiit requires a warrant under Rule 41 to forcefully enter and seize 
someone’s personal computer, it could theoretically choose to use a subpoena to compel production of the same 
compulcr or its conlcnis, rcsoriing to court cnlbrccmciU ilThc recipient failed to comply with the subpoena. As a 
practical matter, however, concerns about compromising the investigation or destruction of evidence normally lead 
law enforcement to secure a warrant in this situation. The same concerns about compromise and loss of evidence 
arc not normally present when the subpoena is scrv'cd on a third party' scni-icc or storage provider, however, 

— Prior to 1992 the National Science Foundation's mandate was to support access to the internet for research 
and education, and it had no authority to permit or promote commercial acti\-it>’ on ilie networks connecting research 
and academic insliiuiions. This aulhorily was conveyed to the NSF only in 1992, wilh passage of The Scicnliric and 
Advanced-Technology Aci, 42 U.S.C. § 1862(g) (1992), which directed the Nalional Science Foundation “lo foster 
and suppon access by the research and education communities to computer networks which may be used 
substantially for purposes in addition to research and education in the sciences and engineering, if the additional 
uses will tend to increase the overall capabilities of the networks to support such research and education activities,” 

— The Mosaic web browser was released in 1993. a graphical browser developed by a team at tlie National 
Center for Supercomputing Applications (NCSA) at the University^’ of Illinois at Urbana-Champaign (UIUC). led by 
Marc Andreessen, 

— Achal Oz‘d, Amend the ECPA: Fourth Amendment Protection Erodes as E-Mails GetDusty>, 88 B.U, L. 
Rev. 1043, 1072 (Note 2(X)8) ('Tn 1986, e-mail technology- was still very' new. Most e-mail users dialed-up to their 
c-inail servers using a modem and downloaded Ihcir communications to a home compulcr, wilh ihc server aciing 
only as a medium for icmporary storage. Using this rationale, the ECPA draws a dislinclion bcivvccn c-inails in 
electronic storage on third-party sen’ers for 1 80 days or less and those in electronic storage longer tlian 1 80 days.” 
Citing Electronic Communications Privaev Act: Hearing on H.R. 3378 Before the Suheornm. on Courts, Civil 
Liberties, and the Admin, of. Justice of the H. Comm, on the Judiciary, 99th Cong, 475, at 24 ( 1 986) (testimony of 
Philip M. Walker, General Regulatory Counsel, GTE Telenet Inc., and Vice Chairman, Electronic Mail 
Association)). 

— Pub, L. No, 103-414. lOS Slab 4279 (1 994) (codified al 47 U,S,C, §§ 1001-1021), 
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was in its infancy, digital storage was expensive,— and email was automatically and regularly 
overwritten by service providers grappling with storage constraints. 

Today, the distinctions between and among data in transit, data in electronic storage, data 
stored by a remote computing service, and data more them 180 days old no longer conform to the 
reasonable expectations of Americans, nor do these distinctions serv'e the public interest. A 
growing chorus of academics argues that these distinctions do not make sense,— and courts have 
had increasing difficulty applying ECPA. The Fifth Circuit described efforts to interpret the 
Wiretap Act as a “search for lightning bolts of comprehension [that] traverses a fog of inclusions 
and exclusions which obscures both the parties’ burdens and the ultimate goal.”— The Ninth 
Circuit described this as a “complex, often convoluted, area of the law."— In 2002 the Ninth 
Circuit said that Internet surveillance was “a confusing and uncertain area of the law” that is so 
out-dated that it is “ill-suited to address modem forms of communication.”— A district court in 
Oregon recently opined that email is not covered by the Constitution, while the Ninth Circuit has 


— Mall Koniorowski. A JIiston< o/Slorage Cost, availahk at IUlp://w\vw.mkoTno,coin/c o sl-pcr"giga b\ Ic 
(concludes that “space per unit cost has doubled roughly every 14 months.” and states that “[sleveral terabytV+ 
drives have recently broken the $0. 10/gigabyte barriers.”); see also Digital Prosperity supra Note 5, at 8 (The falling 
cost of storage is “why Web companies like Google. Yahoo, and Microsoft are providing consumers witli large 
amounts of free Web-based storage Tor their email, photos, and other Hies. For e.s:aruple, Google provides around 
2.7 gigabytes (2.700 megabytes) of free storage for users of their Gmail e-mail service. If Google were to provide 
tliis sendee today using the tectuiologj' of 1 975 (in 2006 prices), it would cost them over $50 million per userl But 
because memory is now so cheap. Google and other companies can afford to give vast amounts of it a.w'ay for free, 
paying for it tlirough miobtrusive advertisements.”). 

— See, e.g.. Patricial L. Bellia. Surs’eillance Law through Cyberlaw 's Lens. 72 Geo. Wash. L. Rev 1375. 
1396-1.397 (2004) (slating that "[sjiorcd communications have evolved in such a way that [ECPA’s layer of 
statutory protection for stored communicalionsl, often referred to as the Stored Communications Act (“SCA”), arc 
becoming increasingly outdated and difficult to apply.”); Orin S. Kerr, A User 's Guide to the Stored 
Communications Act, and a Legislator's Guide to Amending It. 72 Geo. Wash. L. Rev. 1 208. 1234 (2004) (stating 
that the “strange” 1 80-day distinction “may reflect the Fourth Amendment abandonment doctrine at work.” but 
concluding that ”|i|ncorporating those weak Foiulh Amendment principles into slalulorv law maizes little sense”). 

— Briggs V. Am. Air Filter Co.. 630 F.2d 414, 415 (5th Cir. 1980) (Goldberg. J.). In a case involving tlie 
Wiretap Act and ihc Stored Coiniminicalions Act, the same court said that the law is “famous (if not infamons) for 
its lack of clarity.” Steve Jackson Games, Inc. v. United States Secret Serv., 36 F.3d 457, 462 (5th Cir. 1994). 

— United Slates v. Smith. 155 F.3d 1051, 1055 (9tli Cir. 1998). 

— Kunop V. JFrwaiion Airlines, inc.. 302 F.3d 868, 874 (9lhCir. 2(X)2). The Ninth Circuit blamed lliis 
confusion on Congress's failure to update the law- to take into account modem teclinologies. In particular, tlie court 
complained that: “the difficulty [in constniing the surv^eillance statutes] is compounded by the fact that the ECPA 
was written prior to the advent of the Internet and the World Wide Web. As a result, the existing statutory 
framework is ill-suited to address modem forais of communication. .. . Courts have struggled lo analyze problems 
involving modem teclmology' within the confines of this statutory framework, often with unsatisfying results.” Id. 
While the Internet (but not the World Wide Web) did exist in 1986, it is entirely taie tliat tlie Internet of 2010 bears 
very little resemblance lo ihc Inicmcl of 1986. 
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held that it is.— Last year, a panel of the Sixth Circuit first ruled that email was protected by the 
Constitution and then a larger panel of the court vacated the opinion.— The degree of 
uncertainty surrounding judicial application of ECPA requirements in any given situation makes 
it difficult for law enforcement and service providers alike to act with confidence. The absence 
of clear, intuitive rules necessarily complicates — and slows — business review of law 
enforcement requests. The absence of clear rules also makes businesses hesitant to embrace 
emerging Internet hosted services and complicates efforts to consolidate global data repositories. 

As the Supreme Court has noted, clarity in the Fourth Amendment context benefits the 
public and law enforcement alike.® Without clear rules, law enforcement personnel must either 
take the chance of stepping over the line-risking suppression of evidence or even personal 
sanctions - or shy away from the line to avoid overstepping."^' Neither law enforcement nor the 
public are well served when law enforcement cannot make appropriate use of an investigative 
tool because they do not know what is and is not allowed. A dramatic example of the negative 
consequences of the lack of clarity was cited by the Foreign Intelligence Surveillance Court of 
Review in In Re Sealed Case, where the court noted that the rules set forth in prior judicial 
decisions had been “very difficult. . . to administer.”® As the 9/1 1 Commission explained, in the 
days leading up to the 9/1 1 attacks, certain intelligence information was not shared with FBI 
agents who were familiar with al Qaeda because an intelligence analyst misunderstood those 
decisions and misapplied the Justice Department’s rules implementing them.® Lack of statutory 


— Compare In re IJnilecI Slafes. 2009 WL 3416240 (D. Or. June 23, 2009), wilh Ouon v. Ak/i IVirclesr 
Operating Co.. 529 F.3d. 892, 895-899 (9th Cir. 2008), cert, granted 130 S. Ct. 1101 (2009). 

— Warshak e. United Staten. 490 F.3d 455, 467 (6th Cir,2007), vacated en banc. 532 F,3d 521 (6th Cir, 2008), 

~ See. c.g.,-4rfeoHov. .Ro6craon.486U.S. 675,681-682(1988);0(/v<;rv. U.S. . 4GGU.S. 170, 181-182 

( 1 984) C‘This Court repeatedly has acknowledged tlie difficulties created for courts, police, and citizens by an ad 
lioc, casc-by-casc dcfiiiilion ofFourlh Anicndnicnl standards to be applied in dirfering faclual circumslanccs. The 
ad hoc approach not only makes it difficult for the policeman to discern tlie scope of his authority; it also creates a 
danger tliat constitutional rights will be arbitrarily and inequitably enforced.” (citations omitted)), 

— Orin S, Kerr, Four Models of Fourth Amendmenl Froleciion, 60 Stan, L, Rev 5().f, 527-528 (2007) ("The 
Fourth Aincndmcni’s suppression remedy ... generates tremendous pressure on the courts to implement the Fourth 
Amendment using clear ex ante rules rather than vague ex post standards... . Clear rules announce ex ante what tlie 
police can and cannot do; so long as the police comply with the clear rules, the police will know- that the evidence 
cannot be excluded,”), 

— In re Seated Case. 3 10 F.3d 717. 743-744 (FISA Ct Rev. 2002). 

— See id. at 744; National Commission Terrorist Attacks Upon the United Stales. The 9/1 1 Commission 
Report at 78-80. 271. available at bltp. /y\v\^ wv.gpoaccess.go\79i i / pdf)'fullreport. pdf. 
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clarity also causes judicial uncertainty. When unclear statutory terms are Interpreted differently 
in different federal jurisdictions, prosecutors are left with two choices: create different practices 
and procedures in each jurisdiction or adopt the most restrictive interpretation throughout the 
whole country. The first option can lead to confusion and arbitrary results, and the second can 
cause agents to forego the use of important investigative tools even where their use would be 
permissible. 

As email has become a key means of personal and proprietary communications, and as 
users interact seamlessly with locally stored content and content stored on the Internet, ECPA’s 
rules defy user expectation. Today, tens of millions of consumers enjoy free email and data 
storage services on the Internet.— These services are normally advertising-supported, and 
service providers use automated tools to scan the communications in order to deliver relevant 
advertising or other services.—' Many service providers also examine content for security and 
anti-spam purposes.— All of these activities are undertaken in connection with providing the 
communication service, and users do not expect that these activities somehow render their 
private communications less private. Indeed, the average webmail user would be surprised to 
learn that the government believes this to be the case. Applying ECPA to nornial business 
practices in a manner that deprives users of basic privacy protections threatens to undermine 
information technology innovations such as cloud computing, which, “by altering the basic 
economics of access to computing and storage ... has the potential to reshape how U.S. and 
global businesses are organized and operate.”— 


— See Byron Acohido. Microsoft takes notice as more people use free Google Docs. USA Today. Sep. 22. 
2009 (reporting that by July 20 1 0 27% of companies plan to widely use Google Docs in tlie workplace). 

— See Google, More on Gmail and privacy, available at 

http :/7niail, google. com'mail/help/abotit pnvacY.htm.l#5car.njnu email 

— See id. (“Google scans llic lc\l of Gmail messages in order lo filler spam and dclccl viruses, just as all 
major webmail services do.") 

— Jeffrey Rayport & Andrew Heyward, Andrew: Envisioning the Cloud: the Next Cnmpuring Paradigm (Mar. 
20, 2009). According to the authors, cloud computing will lower capital requirements for tcchnologv- start-ups, 
peniiii businesses lo manage IT resources without tying up capital in IT capacity, while managing energy resources 
more efficiently; facilitate consumer access to an endless array of powerful applications at low cost: support 
innovation by reducing tlie hiunan investment needed to build and maintain IT infrastructure; and foster cooperation 
and collaboration, willioul the coordination costs typically associated with bringing people and work together. See 
b.ttp://'www.market5pcicea dv isoipyc om;^ elotid/-F.nv isioriing-tbe-Cloud.pdf 
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As presently applied, ECPA does not comport with user expectations, does not meet law 
enforcement or judicial needs for clarity, creates non-trivial costs for businesses seeking to 
comply with law enforcement requests, and erects barriers to the adoption of innovative, 
productivity enhancing technology by American business. To address these deficiencies in a 
technology neutral manner, the consensus principles would bring all communications content, 
whether in transit or in storage (as commonly defined), notwithstanding the age of that content or 
the ordinary uses of that content by providers, under the basic probable cause standard set forth 
in the Fourth Amendment, accessible to law enforcement with a warrant. 

Effect on Law Enforcement : This proposal would do no more than strictly necessary to 
reflect the reasonable expectations of privacy of communications technology users today, and to 
serve the public interest in facilitating innovation in the cloud. For example, the change: 

■ Would not extend to stored content the full range of protections that apply to real-time 
interception of communications content under the Wiretap Act, and would not require a 
“super warrant"’ for access to that data. Rather, this proposal does not modify the 
Wiretap Act,— and under the proposal, a search warrant supported by probable cause 
would suffice to require a provider to disclose stored content; 

■ Would not further restrict the authority to access communications that are readily 
accessible to the general public, such as remarks posted on a blog or website available to 
the public;— 

■ Would no! modify the right of any authorized recipient of a communication, other than 


— In 2000, the Justice Department supported legislation that would have extended the procedural protections 
accorded to ^'oice interceptions to tlie real-time mterception of electronic communications under the Wiretap Act, a 
change that the Justice Deparunent supported in 2000. See Testimony of Kevin V. DiGregor>'. Deputy Assistant 
Aliomc) General, United Stales Department of Justice, Before the Subconunitlcc on the Consliluliori of ihc House 
Committee on the Judiciaiy- on H.R. 5018 and H.R. 4987 (Sep. 6, 2000) tyFor example, the Administration's 
package proposes tliat wiretaps for electronic communications should be treated just tlie same as voice wiretaps, 
including approval by a high-level Justice Department official, limited to the list of predicate crimes under §2516. 
and vvilh the availabiliiv of suppression under §2515.”), available al 

iil!-p://iuclicjarv. house. cov/Leaacv/diGr()906.blm . 

- 18 U.S.C, § 2511(2)(g)(l). 
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the service provider, to disclose data to tiie government without process. Thus, for 
example, anyone other than the service provider with authorized access to shared photos 
could voluntarily disclose those photos to anyone else, including a government agent;— 

■ Would not change or eliminate any of the current exceptions permitting disclosures to the 
government by ECS and RCS providers, including those regarding inadvertently 
discovered evidence of a crime and emergency disclosures; 

■ Would establish uniform, clear, and easily understood rules about when and what kind of 
judicial review is needed by law enforcement to access electronic content; and 

■ Would, by clarifying the applicable rules, enable business to respond more quickly and 
with greater confidence to law enforcement requests and to avail themselves of hosted 
productivity technology, 


Principle 2: Access to Mobile Location Data 

Recommended Approach : Under the consensus principles, a governmental entity may 
require the provider of wire or electronic communications services to produce, prospectively or 
retrospectively, non-public information regarding the location of a mobile communications 
device only with a search warrant supported by probable cause. 

Need for Change : Cell phones and mobile Internet devices generate location data to 
support both the underlying service and a growing range of location-based services of great 
convenience and value. A cell phone that is turned on — whether or not it is in use — is in near 


— One of llie curreiil exceptions — user consent — eposes special issues, because, if broadly applied, consent 
■would OA'-erwhelm all pm-acy protection. For government access, consent should not be inferred from, for example. 
Terms of Ser^'ice that allow non-governmental entities to access content for various purposes. The 
recommendations are based on the presumption that the fact that a service provider has access to infonnaiion in the 
cloud for purposes of providing the smice. for offering value-added services or for delivering advertising does not 
diminish the user’s expectation of privacy as against the government nor otherwise create any exception to the 
probable cause ■warrant requirement. This should be the case regardless of whether it is the provider or a third party 
contractor that is getting access for these business purposes. Rather, consent that would defeat the warrant 
requirement sliould have to be knowing, explicit, and specific both to the person who created the content and the 
content to be disclosed. If tlais is not clear, a further amendment may be appropriate. 
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constant communication with nearby cell towers,— and, as a result, site tower information 
always reveals something about a user’s location (/.e., what tower or towers are nearby). In 
urban areas, where there are many cell tow^ers, a mobile communications device may 
communicate its location to more than one tow^er. By triangulating information received by two 
or more cell tow^ers, it is possible to establish a user’s location wdthin a matter of yards.— This 
location data can be intercepted in real time and is often stored for research and development, 
resolution of billing disputes, and other business purposes;— it can reveal a very full picture of a 
person’s movements, leading to inferences about activities and associations. In a growing 
number of devices, this automatically generated location data is augmented by very precise GPS 
data.— 


The requirements governing access to location information are not clearly set out in 
ECPA. For years law enforcement treated cell site information as “signaling” or “addressing” 
information, obtained by simply certifying that the information — both retrospective and 


— See DOJ, Eteclnmic Sm'veillance Manual, at 40 (2tK)5), available af 

http :/Avww.iusTice.iiov/criiTiinal/foij/docs/clcc-siir»manuai. pdf . ("A. cell sire simulator, digital analyzer, or a 
triggerfish can electronically force a cellular telephone to register its mobile identification number (‘MIN.’ 
telephone number) and electronic serial number (‘ESN.’ i.e., the number assigned by the manufacturer of the 
cellular telephone and programmed into the telephone) when the cellular telephone is lumed on. Cell site data (the 
MIN, the ESN, mid the channel mid cell site codes identifying the cell location and geographical sub-sector from 
ivhicii the telephone is transmitting) are being transmitted’ continuously as a necessary aspect of cellular telephone 
call direction and processing, The necessary signaling data (ESN/MIN, channcl/ccll site codes) arc not dialed or 
otherwise controlled by the cellular telephone usct. Rather, the transmission of the cellular telephone’s ESN/MIN to 
the nearest cell site occurs automatically when the cellular telephone is turned on. This automatic registration with 
the nearest cell site is the means by which the cellular service provider connects with and identifies the account, 
knows where to send calls, and reports constantly to the customer's telephone a read-out regarding the signal power, 
status and mode,”) 

“ See id at 41 . The Global Positioning System (GPS), cell towers, and Wi-Fi positioning sendee (WPS) are 
ihc ihrcc icchniqucs to identify a mobile device gco-localion. 

— See Declan McCiillagh, Fed,s Push for Tracking on Cell Phones, Feb. 10, 2010, available at 

h ttp ://news.cn et. cQm/8301-13.578_3- 104 .^l .*ii8 -38,htmi CWerizon Wireless keeps ‘phone records including cell site 
locaiion for 12 monihs,’ |said| Drew Araia, Vcri/.on’s vice president and associate general counsel for law 
enforccmeni compliance.”), 

— The FCC's Enhanced 9-1-1 service will by 2012 require wireless carriers to have the ability to report 
information about a caller’s location to within 50 to 300 meters when the caller makes an emergency call, and within 
100 meters for most such calls, 47 C.F.R. g 20.18(h)(1); jee FCC Enlianced 9-1-1 — Wireless Services, cmii table at 
http://www.fcc. gQv/pshs/sen'ices/91 l-service&'enhancedQllAVelcome.html . Wireless carriers often meet tliis 
requirement by installing GPS capabilities in their devices. For example, all Verizon devices sold after 2003 are 
GPS-capablc, See hUp://abouliis.v/ vv.c om/vvirc lc ssissiics/cnhanccd91 l.html , 
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prospective — was '‘relevant to an ongoing investigation.”— In 1994 Congress amended the Pen 
Register statute to preclude the collection of information disclosing location “solely pursuant” to 
that statute.— Notwithstanding this change, until 2005 judges routinely issued orders based on 
the “relevant to an ongoing investigation” certification so long as the request identified any 
additional authority for the request.— Generally law enforcement cited the Stored 
Communications Act for this additional authority — even when the location information was 
sought on a prospective basis, on the theory that nothing in the Stored Communications Act 
“requires that the provider possess the records at the time the order is executed ”— 

In 2005, a magistrate judge in the Southern District of Texas rejected this so-called 
“hybrid-theory,” holding - as most cell phone users would assume - that prospective collection 
of cell site data amounted to “tracking.” Citing the standard for installing a mobile tracking 
device under 1 8 U.S.C, § 3 1 1 7, the magistrate judge determined that law enforcement could 
access prospective cell site data only with a warrant supported by probable cause.— According 


— See DOJ. Electronic Sun>eilhnce Manual, at 45 (,2005). available at 

htt .D://www, i ll S lice, gov/criminal/foia/docs/clcc-sur-mann.il. pdf. (“In 1994, the Office of Enforcement Operations 
opined ihai iiivesiigaiors did not ne'^ io obtain any legal process in order to use cell phone tracking devices so long 
as they did not capture the numbers dialed or other uifonnation 'traditionally’ collected using a peii/trap dev’ice. 

This analysis concluded that the ‘signaling information’ automatically transmitted between a cell phone and tlie 
provider’s lower docs not implicate cither the Fourth AnicndinciU or the wiretap statute because it docs not 
consliluic the ’contcnls’ of a conmumicatioii. Moreover, the analysis reasoned — prior to the 2001 amendments — 
that the pen/trap statute did not apply to the collection of such information because of the narrow definitions of ‘pen 
register’ and ‘trap and trace device. ‘ Therefore, the guidance concluded, since neither the constitution nor any 
statute regulated their use, such devices did not require any legal authorization to operate.”) 

“ Pub. L. 103-414. Tide I. $ 103 (1994) (codified at 47 U.S.C. § i002(a)(2)). This preclusion is subject to an 
exception tliat applies to tlie extent tlie mimber itself provides thelocatiom i.e.. for pay phones or wireline phones. 

— See DOJ, Electronic Surveillance Manual at41, 43-44. available at 

http://www.iustiee,UQV/'cri]nina]/foia/docs/elec-5ur-mamial.pdf . (“Because of the 1 994 prohibition, law enforcement 
authorities have sought odier means to compel providers to supply this information prospecti^-ely. Most commonly, 
invcsiigalors have used orders under scclion 27()3(d) to obtain this inronnalion. Although scclion 27()3(d) generally 
applies only lo stored communications, nothing in that scclion requires llial the provider possess the records at the 
time the order is executed. Moreover, use of such an order does not improperly evade tlie intent of tlie C ALEA 
prohibition. Section 2703(d) court orders provide greater privacy protection and accountability than pen/trap orders 
by requiring (1 ) a greater factual showing by law enforcement and (2) an independent review of the facts by a court. 
Indeed, tlie very language of the CALEA prohibition — ^limiling its application 'to information acquired solely 
pursuant to tlie authority for pen registers and trap and trace devices’ — indicates tliat Congress intended tliat the 
government be able to obtain tliis information using some other legal process. Public Law 103-414. sec. 103 (a) 
(emphasis supplied). Thus. 2703 (d) orders arc an appropriate tool to compel a provider lo collcci cell phone 
location iiifomiation prospectively,” According to the DOJ Manual “[l]aw enforcement investigators may use , , , an 
order under section 2703(d) of title 18 in order to obtain historical records from cellular carriers,”) 


— In Re Applicalion for Pen Register and Trap firace Device yvilh Cell Site Location Aulhorilv United Slates 
District Court. Southern District of T exas. Houston Division, Magistrate No, H-05-557M (Oct, 1 4. 2005), 
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to Judge Smith, “While the cell phone was not originally conceived as a tracking device, law 
enforcement converts it to that purpose by monitoring cell site data.” Magistrate judges around 
the country followed Judge Smith’s lead on this, including a majority of the opinions published 
since 2005 

Although Judge Smith’s opinion applied only to the prospective collection of cell-site 
information, he noted that an individual might have “an objectively reasonable privacy interest in 
caller location information,”— based on the Fourth Amendment as well as the Wireless 
Communication and Public Safety Act of 1999.® He rejected the notion that there is no 
reasonable expectation of privacy in cell site location data, as well as the government’s attempt 
to analogize cell site data to telephone numbers found unprotected in Smith v. Maryland. 442 
U S. 735 (1979): “Unlike dialed telephone numbers, cell site data is not “voluntarily conveyed” 
by the user to the phone company. As we have seen, it is transmitted automatically during the 
registration process, entirely independent of the user’s input, control, or knowledge . . . location 
information is a special class of customer information, which can only be used or disclosed in an 
emergency situation, absent express prior consent by the customer.”— 

More recently, courts have rejected government requests for retrospective location data 
without a warrant, citing the language of the Stored Communications Act that “expressly sets 
movement/location information outside its scope by defining “electronic communications” to 
exclude “any communication from a tracking device” (as defined in 18 U.S.C. § 31 17) and 
noting that the “electronic communications statutes, correctly interpreted, do not distinguish 


— See Declan McCiillagh, Feds Push for Tracking on Cell Phones, Feb. 10, 2010, available at 
http://news.cnet.eom/8301-13578_3-1045i518-38.litml C‘Only amiiiorit}- [of judges] has sided with the Justice 
Dcparuncnl |on rules regarding prospcclivc cell phone tracking].”); Transcripl of Town Hall Record, Beyond Voice: 
Mapping the Mobile Marketplace, al 177-178 (May 6, 2008) (Session 4, "Location-Based Services”), available at 
http :/./htc -01. media. glohix.net/COMP008760MODij‘ftc_web./traiiscripts/050608_sess4. pdf. 

— In Re Application for Pen Register, supra note 58 at 16. 

— Pub. L. No. 106-81. § 5. 113 Stat. 1288(Oct. 26, 1999) (codified at 47 U.S.C. § 222(f)). 

— In Re A pplicalion for Pen Register, supra note 58 al 1 5; 
http:././www.iiistice.iJQv/cniTimal/foia/docs/eiec-sur-maEu al.pd f. 
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between historic and prospective [cell site location information].’’— Under these holdings, law 
enforcement can no longer assume that they will be able to acquire location data without a 
warrant based on probable cause. 

Courts that require law enforcement to secure a warrant based on probable cause to 
access mobile location data recognize that users are likely to assume that tracking, however 
accomplished, is still tracking. To comport with reasonable expectations and serve the public 
interest, the current uncertainty should be resolved by applying the probable cause standard to 
disclosure of relatively precise location information. 

There are already a number of innovative, socially beneficial “location aware” 
applications that employ technologies such as GPS, cell phone infrastructure, or wireless access 
points to locate electronic devices and provide “resources such as a ‘you are here' marker on a 
city map, reviews for restaurants in the area, a nap alarm triggered by your specific stop on a 
commuter train, or notices about nearby bottlenecks in traffic.”— More applications such as 
these are emerging every day, and in short order “systems which create and store digital records 
of people’s movements through public space will be woven inextricably into the fabric of 
everyday life.”— These applications will enhance quality of life, further important economic 
and social goals, and — with appropriate safeguards — serve law enforcement. Absent clear 
standards, privacy concerns could discourage consumer use, which could in turn make it less 
likely that location data will be available to law enforcement with proper authority. 


— In the Matter of the Application of the United ^ates of America for an Order Directing the Provider of 
Electronic Commumcaiiom Ser\>ice to Dischae Records lo the Govemmeni, U.S, Dislricl Coiirl for Ihc Wcslcni 
District of Pennsylvania. Magistrate’s No. 07-524M Magistrate Judge Lisa Pupo Lenihan . aff'd Sep. 2008, 
(“Government’s requests for Court Orders mandating a cell phone service provider’s cotert disclosure of individual 
subscribers’ (and possibly others’) physical location information must be accompanied by a showing of probable 
canse.”). The case has been appealed to the Third Cirenit. wliich heard oral arguments onFebruciiv- 12. 2010. Case 
08-4227. 

— See Educausc Learning Initiative, 7 Things You Should Knoyv About ... Location Ayvare Applications^ 
a\riilable at hitp://net.cduc3usc,cdu/ir<'librarv/r>df/EL-I7047.pdf . 

— Andrew J. Blumberg & Peter Eckersley. Electronic Frontier Foimdation, On Locational Privacy, and How 
to Avoid Losing it Forever, at 1 (Aug. 2009'), available at httn:/’/wvw/.cf f.or g/f iics.<''c f f - 1ocationai-pri'\’ acv .pdf. The 
sensitivity of precise geo^aphic location iiifonnalion was also discussed at a panel on mobile “location-based 
services" during the FTC's 2008 Town Hall on mobile marketing. See Transcript of Town Hall Record. Beyond 
Voice: Mapping the Mobile Marketplace (May 6, 2008) (Session 4, “Location-Based Services’), available at 
hup:./.iuc"()l.mcdia.glob i \.n ci /COMP()()8 76()M ODl/iic web./tran sc r i p l S /'i) 5()6 Q 8 scss4.p dr. 
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Efl'ect on Law Enforcement : Information that reveals an individual’s precise location can 
be highly sensitive, and collection of this information without proper safeguards implicates the 
exercise of a variety of rights protected by the Constitution, including important expression and 
association rights. To facilitate innovation, encourage the uptake of emerging location-aware 
technologies, and ensure that law enforcement access to location information generated by these 
products and services comports with the reasonable privacy expectations of Americans, ECPA 
should be amended to require a warrant based on probable cause to support access to location 
infonnation, whether it is sought on a retrospective or prospective basis.® This standard is 
consistent with Fourth Amendment safeguards against unreasonable search and seizure. In many 
cases, law enforcement must already meet the probable cause standard when requesting location 
data,— and certain service providers are taking the position that location data is subject to higher 
standards under ECPA for content.— 


Principle 3: Access to Transactional Data 


Recommended Approach : Under the consensus principles, a governmental entity could 
require the provider of wire or electronic communications services to produce, prospectively or 
in real time, transactional information (i.e., dialed number information, IP address, Internet port 
information, email to/from information and similar communications traffic data)® only with a 
judicial finding that the entity has offered specific and articulable facts demonstrating reasonable 


— This would be subject, of course, to the exception for telephone numbers that themselves provide location 
inlonnaiioii, 

— Most courts have held tliat prospective information requires a showing of probable cause. See supra note_ 
63. Law enforcement requests for retrospective location data are often combined with requests for prospective data. 
See. e.g.. In re Application Of The United States Of America For An Order Directing A Provider Of Electronic 
Commumcalkm Sennce To Disclose Records To The Government, 534 F. Supp, 2d 585, 589 (W.D, Pa. 2008); In re 
Application ofU.S.for an Order for Prospective Cell Site Location Infonnation on a Certain Cellular Telephone, 
460 F. Supp. 2d 448. 453 (S.D.N. Y. 2006). 

— For example, the Loopt seivhce “shows users where ftiends are located and what they are doing ^ia 
detailed, interactive maps on their mobile phones. . . . Users can also share location updates, geo-tagged photos and 
comments with friends in tlieir mobile address book or on online social netw'orks, communities and blogs." The 
provider clearly understands the privacy implications of this technology, and reassures users that "Loopt was 
designed with user privacy at its core and oilers a variety of circclivc and inluilivc privacy controls," About Loopt. 
available at http://ww~w.lQopt.com/iibQiit . 

— DOJ. Electronic Surveillance Manual, at 39 (2005), available at 

hup ://vk w w . i u sti ce , aov / c riminal/Toiva/doc s/e lc c-sur-manual.p^ . (“Pen register and trap and trace devices may obtain 
any noncontent information — all ‘dialing, routing, addressing, and signaling information’ — utilized in the 
processing and transmitting of wire and electronic communications. Such infonnation includes IP addresses and 
port numbers, as well as the 'To’ and 'From’ infonnation contained in an e-mail header,") 
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grounds to believe the information sought is relevant and material to an ongoing criminal 
investigation. 

Need for Change : Transactional data — records of who is calling whom, when and for 
how long, and records of all the “to” and “from” information associated with one's email, 
including date, time, message length (including subject line length) — can be highly revealing. 
Transactional records for e-mail and cell phone usage may contain far more information about an 
individual’s communications than “pen register” data in the wireline environment of the 
1980s.— As technology has evolved, transactional data has become ever more detailed and 
revealing, but remains available to law enforcement without effective judicial supervision. In 
fact, under ECPA, a court must issue an order for a pen register— or trap and trace device— 
whenever a prosecutor files a document stating that the information sought is relevant to an 
ongoing investigation.— Thus, read literally, a judge cannot even assess whether the information 
is in fact relevant; the only question is whether the government says that it is. As 
communications technology evolves and produces increasingly detailed and rich transactional 


— For example, tlie transactional record of an outgoing phone call to someone in a large office likely only 
contains the general office phone number and docs not spccii^- which person in the office has been contacied. 
However, tlie transactional record of an email to that person contains the recipient’s imique email address. See 
Center for Democracy & Tecluiologj'-s Analysis of S.2092 (Apr. 4, 2000), available at 
http:,A b l d.cdt.org/sccurity .'000404amcnding.sittml. 

It is not yet clear whether information such as URL ’s that include search terms or specific website 
addresses are “content” information tliat must be excluded from transactional records, Matthew J. Tokson. The 
Conlen!/ Envelope Disiinclion in Inlernei Law. 50 Wm. & Mar)’ L. Rev 2105, 2105 (2()()9) (“Courts and liUcmci law 
scholars have yet to offer a means of determining the conlcni/cnvclopc status of unique aspects of Interact 
communications-from email subject lines to website URLs.”). If transiictional records for e-mail or Internet-enabled 
cell phones include this information, then the>' would be far more revealing than traditional wireline telephone 
records, E.g.. United Stares v. Forrester. 5 1 2 F.3d 500, 510 n. 6 (9th Cir. 2008) (“Sur\’eillance techniques that 
enable the govcnimcni to determine not only ilic IP addresses that a person accesses but also the unilbnn resource 
locators (“URL”) of the pages ^dsited might be more constitutionally problematic. A URL, milike an IP address, 
identifies the particular document within a website that a person views and tlius reveals much more information 
about the person’s Tntcnict activity.”). 

— A “pen register” is defined as “a device or process which records or decodes dialing, routing, addressing, or 
signaling information transmitted by an instrument or faciliw from which a wire or electronic communication is 
transmitted, provided, however, that such information shall not include the contents ofanv communication... 18 
U.S.C, § 3127(3). 

— A “trap and trace device" is defined as a device or process which captures the incoming electronic or other 
impulses which identify the originating mimbcr or other dialing, routing, addressing, [or] signaling information 
reasonably likely to identify the source of a wire or electronic commuiiicalion, provided, however lliat such 
information shall not include the contents of any communication. 18 U.S.C. § 3 127(4). 

— 18 U.S.C, § 3123(a). 
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information, it is appropriate to afford judges a meaningful role in assessing whether the 
government’s claim of relevance is substantiated. 

Effect on Law Enforcement : The Justice Department has in the past acknowledged that 
the approach taken by the recommended principle is appropriate.— Nonetheless, the consensus 
principles call for a modest change only; The standard proposed is significantly less than 
probable cause: “specific and articulable facts showing that there are reasonable grounds to 
believe that the information ... is relevant and material.” Drawn from the Terry decision of the 
U.S. Supreme Court,— the language is identical to the fonnulation in the Stored 
Communications Act, which currently provides: 


A court order for disclosure under subsection (b) or (c) may be issued by any court 
that is a court of competent jurisdiction and shall issue only if the governmental 
entity offers specific and articulable facts showing that there are reasonable 
grounds to believe that the contents of a wire or electronic communication, or the 
records or other information sought, are relevant and material to an ongoing 
criminal investigation.— 

The marginal burden on law enforcement from this change should be minimal because law 
enforcement rarely asks for a pen register order without already possessing information sufficient 
to satisfy a “specific and articulable facts” standard.— The change will enhance business 


— See DOJ‘s View on H.R, 5018 (Electronic Communications Privacy Act of 2000), Testimony of Kevin 
Digrcgory, Deputy Associate Attorney General. m-aHable ai 

hrTp://cQmmdQCs.hcuse.gov/cQmmirree5/nidicuir\-/liin{>7343.000;‘hiu67.'i4A O.htm (“H.R. 5018. like tlie 
Administration’s bill, would introduce the requirement of judicial review of die factual basis for such orders. 
Specifically. H.R. 5018 would require such applicalions to contain ‘specific and articulable facts’ that would JustifY 
the collection of the data. While tlie Justice Department can comply with the added administrative burdens imposed 
by increasing this standard, we have coneys about the amendments. Specifically, the teclmologw-specific manner 
in which tlie bill would implement this change, die lack of an emergency exception, and the mirealistic geographic 
limiiaiions that restrict such orders in the present law all raise serious concerns that should be addressed.”), 

- Terry^v. Ohio, 392 U.S. 1,21 (1968). 

- ISU.S.C, § 27n3(d). 

— Orin S. Kerr. Internet Surveillance Law after the USA Patriot Act: The Big Brother That Isn 't, 97 Nw. U. 
L. Rev. 607. 639 & 673 n. 154 (2003) (“[A] higher ‘specific and articulable facts’ tlireshold would not add 
substantial burden for law cnforccincnt,,. . [IJn my government experience I never knew or even heard of any law 
enforcement agent or lawyer obtaining a pen register order when the agent did not also have specific and iirticulable 
facts, which would satisfy the higher thre^iold. My eiqierience is narrow, but it suggests that the practical burden of 
obtaining the order combined with the certification to a federal Judge and potential for criminal liability effectively 
regulates government oiTicers and deters them from obtaining pen register orders in bad faith. On the other hand, 
there may be rogue oriiccrs out there, if not now then in the future, and a higher thrcsliold combined with j udicial 
review could potentially provide an extra barrier to abuse.”). 
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responsiveness by clarifying the obligations of both law enforcement and business, and preserves 
the distinction between content and transactional data, and maintains the reduced burden needed 
to acquire the latter. 

Principle 4: Access to Subscriber Identifying Data and Stored Transactional Information 

Recommended Approach : Under the consensus principles, a governmental entity may 
use a subpoena to require the provider of wire or electronic communications services to produce 
information related to a specified account or individual. Judicial approval would be necessary 
only where such requests do not relate to a specified account or individual. 

Need for Change : Under ECPA, law enforcement may use an administrative, grand jury 
or trial subpoena to acquire certain information pertaining to a “subscriber to or [a] customer” of 
an electronic communications service or remote computing service.— The information that may 
be acquired under this provision includes name, address, call or session records, length of service 
and type of service utilized, and method of payment.— Using the administrative subpoena 
authority, law enforcement makes an independent determination that certain records are needed 
and then issues and serves the subpoena without input from a grand jury or even an assistant U.S. 
Attorney. Such administrative subpoenas are subject to judicial review only if the recipient of 
the subpoena challenges it. With administrative, grand jury or trial subpoenas, the government 
has no obligation to notify the subscriber or customer to whom the records relate.— A carrier or 
ISP will rarely have the incentive to challenge a subpoena, so this information is routinely 
disclosed without any judicial review whatsoever. 

The absence of judicial review or any meaningful opportunity to challenge a request for 
subscriber identifying records and stored customer records suggests that the scope of the 
subpoenas in these cases should be appropriately tailored. Indeed, the language of the statute 
itself suggests that such subpoenas may be issued for information pertaining to “a subscriber” or 
“a customer” identified with some particularity, for example, by a phone number or an IP 

18 U.S.C. § 2703(c)(2). 

Id. 

18 U.S.C. § 2703(c)(3). 


SO' 

Si-' 
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address at a specific time. This principle would make it clear that a subpoena cannot be used to 
compel production of, for example, information identifying “a// subscribers” whose device 
registered on a specified cell tower on a specified date, or information identifying ~all 
subscribers” who accessed a particular web site during a specified period of time. Nothing in the 
legislative history of ECPA suggests that the provision should be read to authorize such broad 
use of subpoenas. Rather, the absence of judicial review argues for a narrow interpretation to 
avoid misuse of the subpoena for “fishing expeditions.”— 

Effect on Law Enforcement : The principle is intended to clarify that the government may 
use a subpoena to obtain the subscriber information specified in the statute if the investigator can 
identify the subscriber with particularity (e.g. phone number, IP address used at a specific time). 
Otherwise, the investigator would obtain the information after securing a §2703(d) order based 
on specific and articulable facts demonstrating reasonable grounds to believe that the information 
is relevant to an ongoing criminal investigation, or a search warrant. The consensus principles 
would leave the current standard found in ECPA untouched when the records sought by law 
enforcement pertain to a specific subscriber or customer. Only if the government sought records 
about groups of subscribers or customers, would judicial review be required. 

Conclusion 

The United States leads the world in bringing innovative, ground-breaking 
communications technology to market, and enjoys the many social and economic benefits that 
technology produces. The United States also enjoys the many benefits flowing from 
Constitutional safeguards designed to preserve individual liberties, including the right to be free 
from unreasonable search and seizure. The U.S. has consistently balanced those values with the 


— Without a narrow interpretation, law enforcement can subpoena a list of all visitors to a news website on a 
particular day, and order that the recipient of the subpoena not disclose the subpoena's existence. The Department 
of Justice recently attempted tliis before withdrawing its subpoena after tire website owners objected publicly. See 
Dcclan McCullagh, ./n.s'hcc Dapf. Asked fur NewsSile’s Visitor I jsls. Taking Liberties Blog (Nov, 10, 2009), 
cn-niinbk al hiiD:,//vvvvw ,cbsp.cvvs,conirbjoas;^009/T l.-'09/takjna libcriics.'culn.' S595ii06,sblmi : Copy of Subpoena, 
available at http:/,%wwv efr.oru/fiIes/siibpoena.Ddf See also Nymity Intenhewc Where Did Due Process Go? 

Gove nwieni Access to Persona! Information in the C/ontt (Tntervdew with Scott Shipman, eBay) (Feb 2010), 
h ttpvVffww .nv mitv. com, Tree Privacy R csonrccs/Privacv tntcr\icw^/20 iO/Scoti Sh ip man. .asox (“[W]c rc starting 
to see a new wave of requests. These new requests are a broad request for a large group of umiained customers. For 
example, we see requests from authorities that state, ‘please proxide all information on all sellers who have sold in 
tile following jurisdiction (zip code) within the last year. ' Requests hke tliose arguably flip the notion of due process 
upside down.”). 
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needs of law enforcement in the communications environment, and both U.S. consumers and the 
U S. economy have benefitted from the trust and confidence that this balance inspires in our 
electronic communications and information technology services providers, including among 
businesses and individuals located outside our borders. Changes in technology since 1986 have 
made it difficult to apply ECPA in a manner that comports with the reasonable expectations of 
individuals, potentially eroding user willingness to entrust private information to third party 
service providers in the United States. The principles recommended by the working group 
would, if implemented, align ECPA with current and emerging technology without unduly 
constraining or imposing significant burdens on law enforcement. 
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Mr. Nadler. With that, I thank the witnesses. And the hearing 
is adjourned. 

[M^ereupon, at 4:06 p.m., the Subcommittee was adjourned.] 
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Congressman Henry C. “Hank” Johnson, Jr. 

Statement for the Hearing on Electronic 
Communications Privacy Act (ECPA) Reform 

May 5, 2010 

Thank you, Mr. Chairman, for holding this hearing and 
giving Members the opportunity to examine the Electronic 
Communications Privacy Act. 

The internet has grown and transformed the way Americans 
communicate, work, and live. We are increasingly living 
our lives online. We go online to learn, shop, pay our bills, 
and to connect with family and friends. 

The founding fathers recognized that citizens need privacy 
for their “persons, houses, papers, and effects.” While 
technology has been advancing at the speed of light, that 
basic principle the framers had in mind, when they drafted 
the Constitution, has not changed. 

The ability to monitor communications has grown 
enormously. As technology continues to expand, we must 
adjust our laws to keep up with modern technology. 

The primary statutory protection for the privacy of 
electronic communications is the Electronic 
Communications Privacy Act, which became effective in 
1986. The World Wide Web, however, was not designed 
and distributed until 1992. In 1993, there were almost two 
million web sites. As of 2007, it was estimated that there 
were over 100 million web sites. 
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As the World Wide Web and teehnology eontinue to 
expand, our laws must evolve to keep up with eurrent 
trends. 

As 1 think about this issue, several questions eome to mind. 
How ean Congress reform the Eleetronie Communieations 
Privaey Aet to ensure that individuals retain their right to 
privaey and that the government has the tools it needs to 
eonduet investigations? How can Congress reform the Act 
to provide service providers with clarity so that they can 
effectively communicate with their customers and gain 
their trust? Is it premature for Congress to legislate with 
unresolved Fourth Amendment issues? 

1 hope that our witnesses can shed light on these questions. 

Thank you, Mr. Chairman, for scheduling this hearing. I 
look forward to hearing from our witnesses today, and yield 
back the balance of my time. 
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Written Testimony of Richard Salgado 
Senior Counsel, Law Enforcement and Information Security, Google Inc. 
House Judiciary Subcommittee on the Constitution, Civil Rights, and Civil Liberties 
Hearing on Electronic Communications Privacy Act Reform 
May 5, 2010 

Google thanks Chairman Nadlcr, Ranking Member Sensenbrenner, and honorable members 
of tlie Subcommittee for examining the need to modernize the Electronic Communications 
Pnvacy Act ot 1986 (ECPA). My name is Richard Salgado. As a Senior Counsel for Law 
Enforcement and Information Securit\" at Google, I oversee the company’s response to 
government requests for user infonriation under various authonties including KCP A. 1 am 
also responsible for working with teams across Google to protect the securit)- of our 
networks and user data. I have ;ilso ser^'ed as a Senior Counsel in the Computer Crime and 
Intellectual Property Section in the U.S. Department of Justice. 

It is vital for Google and for Internet users that Congress update liCPA to address the 
tremendous technological advances in communications and computing technology' tlaat the 
world has witnessed since the statute was passed. This is why Google is playing a lead role 
in the Digital Due Process coalition ( www.diginildLicproccss.orgA an ECPA refonn advocacy 
coalition that includes otlier technology companies, non-govenimentai organizations, and 
academics. We need to make sure that KCPA protects individuals from unwarranted 
government intrusion as communications and computing technology- continue to advance. 

At the same time, I iCP A must offer law enforcement the tools necessary* to perform its 
important work. 

I iCP A was designed for the communications and computer technology* of 1986. The way’s 
in which we communicate and compute today’, however, bear little resemblance to tliose of a 
quarter century’ ago. Wlien ECPA bec-ime law in 1986, comnaunication through the Internet 
was the province of aeademie researehers and government agencies. There was no 
commercial World Wide Web. Commercial email had not yet been offered to the general 
public. Instant messaging wasn't widely used until the late 1990s. Only 340,000 Americans 
SLibscnbed to cell phone sennee — the equivalent of one line tor every citizen ot Tampa, 
Florida — and not one of them was able to send a text message. 

Since ECPA was signed into law, we have experienced unprecedented advances in 
communications technology^ and sennees, and a fundamental shift in how’ people 
communicate. The weh, search engines, video sharing sites, and voice-over-lP services are 
only a few of the technologies tliat have become commonplace and part of even^day life, y’et 
would have seemed like scienee fiction at the time ECPA was enaeted. 




We've also seen a profound transformation in the way’we store, access, and transfer data. In 
1986, holding and storing data was expensive, and storage devices were limited by 
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technolog}^ and size. A 10 megabyte hard drive that had room to store about two high 
resolution photos cost $6S0 (or 10 dollars per megabyte). In 2010, th'mks to innovation 'md 
advmces in technolog}% a 1.5 terabyte hard drive can be purchased for $99 (0.000094 dollars 
per megabyte) and hold 300,000 photos. Complimenting the growtli in storage capacity, 
average data transler rates are nearly one hundred and sixty times taster tlian in 1986 — 
making it possible to share ncher data and to perform more complicated tasks in a fraction 
of the time it took wlien KCPA became law. 4'his massive drop in cost and increase in the 
speed of storing and accessing data, has had a huge and positive impact on a.ll classes of 
online users, fostering improvements in cfficicnc\' and innovation. The development of 
Internet-based computing and storage — widely known as “cloud computing” — is one direct 
benefit. 

Compimies like Google are now able to offer individuals, businesses, educational 
institutions, goveniment entities, and otliers tlie ability to store, access, use and share tlieir 
data from remote servers. This provides enormous cost, scalability, and security advantages 
over home or workplace data storage tlaat was tlie norm twenty-five years ago. Ratlier tlian 
invest in expensive and specialized IT equipment and personnel, customers can rely on tlie 
scale and security offered by the cloud providers to access data anywliere Internet access is 
available. The cloud is about much more than email; it enables services like online video, 
shared document collaboration among people in different time zones, and many other 
scnaccs. The “virtual” senaccs offered in the cloud have created enormous and tangible 
value ill tlie economy, cultivating new businesses and a spurring the creation ot an entirely 
new tech sector. As communications and neKvorks become faster and more data intensive, 
tins sector will continue to create new jobs and more opportunities tor investors and 
innovators. 

The movement to the cloud will continue to increase as its benefits are vddely felt. This is a 
valuable and important trend that shouldn’t be slowed artificially by outdated technology 
assumptions baked into parts of KCPA. Nor should the progression of innovation and 
technology^ be hobbled by^ I tCP A provisions that no longer reflect the way* people use the 
scnnccs or the reasonable expectations they* have about government aecess to information 
tliey store in the cloud. 

Applying the statute to new, widely* used services that didn’t exist in 1986 has resulted in 
complex, often baffling rules that are difficult to explain to users and difficult to apply. Tlais 
mismatch between privacy expectations and privacy protection, combined witli counter- 
intuitive rules, tlireatens to hinder the benefits ot cloud services to our economy. 

The rules around compelled production of communications content, like email, provide a 
good example of the current complexity. ECPA provides that the government can compel a 
service provider to disclose the contents ot an email tliat is older than 180 days witli notliing 
more tlian a subpoena (and notice to tlie user, which can be delayed in certain 
circumstances). If the email is 180 day-s or newer, the government will need a search 
w^arrant. (I'he U.S. Department of Justice also takes the posirion that a. subpoena is 
appropriate to compel the sendee provider to disclose the contents of an email even if it's 
not older than 180 day’s if the user has already retrieved it. The Ninth Circuit Court of 
Appeals has rejected tliis view.) Ifs difficult to imagine a justification tor a rule tliat lowers 
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tile procedural protection for a message merely because it is six months old or has been 
viewed by the user. 

The Digital Due Process coalition has put tonvard principles that are designed to help 
ensure that content stored in the cloud gets no less due process protection as data held on 
computers at home or in the office, to adjust the mles to match the reasonable privacy 
interests of today's online citizens, and to ensure that government has tlae legal tools needed 
to enforce the laws. 

There are four key ways ECPA should be updated: 

• Create a consistent process for data stored online: Treat private 
coinmunications and documents stored online the same as it they were stored at 
home and require the government to get a search warrant before compelling a 
scnacc provider to access and disclose the information. 

• Create a consistent process for location information: Require tlie government to 
get a search warrant before it can track movements through the location of a cell 
phone or other mobile communications device. 

• Clarify the process for real-time monitoring of when and with whom 
communications are being made: To require a service provider to disclose 
infonnation about coinmunications as diey are happening (such as who is calling 
whom, ‘■‘to” and “from” information associated with an email that has just been sent 
or received), the government would first need to demonstrate to a court that the data 
It seeks is relevant and material to a criminal investigation. 

• Clarify the process for bulk data requests: A government entity investigating 
criminal conduct could compel a senace provider to disclose identitying intormation 
about an entire class of users (such as tlae identity ot all people who accessed a 
particular web page) only after demonstrating to a court that the information is 
needed for the investigation. 

Modernizing ECPA will benefit everyone w'ho uses cloud services including individual users, 
businesses small and large, and enterpnse customers — all of whom depend on havang their 
data available everywhere, safe, secure, and at low cost. It will also make users of cloud 
scnaccs contidcnt that the privacy of what they store virtually m the cloud is respected no 
less than the prwacy of information stored at home. As contidence growls and users put 
more of their data on the eloud, those benefits will be felt tlaroughout tlie Ameriean 
economy as lower costs and higher productivity. Further, these updates will provide clear 
guidance and consistency to law enforcement agencies, and will not impede the ability of law 
enforcement agents to obtain evidence stored in tlie cloud. 


The issue ot due process in the cloud is one of increasing interest to our users. Last rnontli, 
Google released a new government requests transparency tool that gives our users 
information about the requests for user data or content removal we recewe from 
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government 'Agencies around the world faww.google.com /go verniTientrequests) . I'his tool 
has served to raise attention to the issue of what nghts users have when it comes to their 
data. We hope that the U.S. leads the way m ensuring that data rec|uests for online data 
receive die kind of due process diat citizens expect and deserve. 

Advances in technology rely not just on the smart engineers who create the new services, but 
also on smart laws that provide die critical legal underpinning for diis new world. We look 
forvvird to working with Congress to strengthen the leg.il protections for individmils md 
businesses diat rely on our services. 
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Cluuiman Nadler. Kankinn; Member Scnscnbrcnncr. and Members of the Committee: 

The American Civil iJbertics Cnion (ACl.U) has over half a mdlion members, countless 
additional activists and supporters, and nrty-thrcc afTiliotcs nationwide. We oie one of the 
nation's oldest and largest orpmi/ations advocating in support of mdIvHjtuI rights in the courts 
and before the cscculivc and legislative branches of gosemmcni. Throughout our hisuity, wc 
have hcvn one of the nalHin's forctnosl protectors of individual privacy. Wc write today to urge 
Ihc committee to take the fust steps toward modernizing ihc IJcMlninic Communications Privacy 
ActdX'PAL 


The I'ounding l-olhers n.-cogni/cd that citizens in a democracy need privacy for ihcir “penons. 
bouses, papers, and effects." That amains as true os ever. Hut our privacy laws have not kept 
up as technology has changed the way wc hold information. Tfioiius JcITcrson knew the papers 
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and ct'fccts he stored in his ot'fiee at Monticello would remain private. Today’s citizens deserve 
no less proteelion just beeause their '‘papers and eileels” might be stored eleclronieally. 

The main statutory protection for the privacy of communications, ECPA, was written in 1986 
before the Web was even invented. Technology has not only advanced tremendously since 1986. 
it has also become an essential pari of our lives. It impacts how we learn, share, shop and 
connect. We need an updated ECPA to match our modem online world. 

Americans Have Embraced Technology 

Technology has changed immensely since ECPA was written in 1986 — and Americans have 
adopted these changes into their lives: 

• Over 50% of American adults use the Internet on a typical day.^ 

• 62% of online adults watch videos on video-sharing sites, ^ including 89% of those aged 
18-29.' 

• 69%> of online adults use "cloud computing” services to create, send and receive, or 
store documents and communications online.' 

• Over 70% of online teens and young adults'^ and 35% of online adults have a profile on a 
social networking site. ^ 

• 83% of Americans own a cell phone and 35% of cell phone owners have accessed the 
Internet via their phone. ^ 


‘ Coumion daily activities include sending or receiving email (40+% of all American adults do so on a typical day), 
using a search engine (35+%). reading news (25+%). using a social networking site (!()+%). banking online (15+%), 
and watching a video (10+%’). Pew Internet & American T.ife Project, Daily Imemei Aciiviiies, 2000-2009, 
htt.r>:/7wwwMsew'inten]et.orc%rend-Data/T.);j!lv-Inten')et-Act!vities-200n2009-:ispx . 

“ A "video-sharing site" or “video hosting site" is a website that allow users to upload videos for other users to view 
(and. often, comment on or recommend to others). Wikipedia. Video Hosiing Service. 

btip:/ycn.wik.i t)cdia.org/vviki/Vidco sharing (as of May 1,2010. 04:21 GM'l'). YouTube is the most coimrion video- 
shai'iiig site today. 

■' Pew Internet & American Life Project. Your Other Tube: Audience for Video-Sharing Sites Soars, .Tuly 29, 2009, 
htm:/7oev.-Te.se.arcb.or2/i'>uhs/1294/oniine-video-sharin»-sifes-use 

^The term “cloud computing" has many definitions, but generally refers to services that offer applications or data 
storage accessible \na the web. Pew Internet & American Life Project, Use of Cloud Computing Applications and 
Services. Scp. 2008 Ihcrcinaftcr Pew Cloud Report]. bttp://www.pcwiiitcmet.org/Rcpoits/2008/Usc-of-Cloud- 
('omputing-Applications-and-Services.aspx. 

Pew Internet & American Life Project. Use of Cloud Computing Applications and Setyices. Sep. 2008 rhereinafter 
Pew Cloud Repoit], http://vAvw,j')ewinte!Tiet.org/Reports/200SA.I.se-of-C1oiid-Compi3ting-Api.>licarions-and- 
Services. asp x . 56% of Internet users use wehmail services, .34%' store photos online, and 29%; use online 
applications such as Google Docs or Adobe Photoshop to create or edit documents. 

^ Pew Internet & American Life Project. Social Media & Young Adults, Feb. 3. 2010. 
bt4)://wwwxpewmterner.ora/Repoits/2010/Socjal-Media-aQd-Youna-Adiiits-aspx . 

7 

“Social networking sites" allow users to construct a “semi-public" profile, connect with other users of the seivice, 
and navigate these connections to view’ and interact with the profiles of other users, danah m. boyd & Nicole B. 
tllison, Social Networking Sites: Definition, History, and Scholarship, 13 J. of Comp. -Mediated Comm. 1 (2007); 
Pew Internet & American Life Project. Adults & Social Network Sites. Jan. 1 4. 2009. 
hup:/7ww\v,pc-wiojcrnci,org/RcporL/2009/AduUs-an<J-SociLd-Ncivvork-Wcbsitcs,aspx . 
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Companies continue to innovate and create new ways for Americans to merge teehnology with 
daily activities. Google has spent ihe last live years building a new online book service and sales 
of digital books and devices have been climbing.^ Americans increasingly turn to online video 
sites to learn about everything from cuirent news to politics to health. Txication-based 
seiwices^^ are a burgeoning market.^" 

'ITiese services provide many benefits, but they also have the ability to collect and retain detailed 
information about individuals; their interests, concerns, movements, and associations. This 
information can be linked together, allowing a user’s Internet searches, emails, cloud computing 
documents, photos, social networking activities, and book and video consumption to be collected 
into a single profile.’^ 

Americans Still Expect Privacy 

'ITiis rapid adoption of new technology has not eliminated Americans’ expectations of privacy. 

To the contrary, Americans still expect and desire that their online activities will remain private, 
and express a desire for laws that will protect that privacy. 

• 69% of Internet users want the legal right to know everything that a Web site knows 
about them.^‘^ 

• 92% want the right to require websites to delete information about them.^'"’ 

• A large percentage of users of cloud computing are “very coneenied” about how their 
personal information may be used and disclosed to law enforcement and third parties.’^ 


^ Pew Iniernel & American Life Projecl. Internet, Broadband, and Cell Phone Statistics. .Tan, 5. 2010, 
htn:>://'ww’\v.i')ewijU,erneT.ora/'Repnrts/2Q j0/-Tnternet-bTOadb<)nd-ar!d-cel1-phor!e-sTaristics-asnx . 

® See generally ACl.U of Northern Califomin. Digital Books: A New Chapter for Header Privacy. Mar. 2010. 
available at hi [py/w ww.doji'ighis.org/digiLal-books-ncw-chapior-rcadcr -privacy . 

“More Americans arc waicMng online video each and every monili than watch the Super Bowl once a year.." 

(rreg .Tarboe, 125.5Million Americans Watched 10.3 Billion YouTube Videos in September. 
SiiARCiir.NOiNiiWA'i'Oii.coM, Oct. 31, 2009. hT,t i')://l'>log.searchenoinew:itch.coin/091 03 1-1 10343 . 

^^‘■T.ocation-based services" is an information service utilizing the user's physical location (which may be 
automatically generated or manually defined by the user) to provide services. Wikipedia, T/ocation-Based Service, 
b(tp:.//cn. Wik i p ed ia. org/wiki/Loc aiion- base d serv ice (as of May 1, 2010. 04:35 GMT). 

Recent location-based service f oursquare built a base of 500.000 users in its first year of operation. Ben Parr, The 
Rise of Foursquare in Numbers [STATS]. MASKABLE. Mitr. 12, 2010. 
httn:/7mashable.com/2()10/03/12/fom~scjtnge-smrs/ . 

See ACTTT of Northern California, Digital Books, supra note 9 ("[T]f a reader has logged in to other Google 
services such as Gmail at the lime he searches for a book. Google can link reading data lo the reader's unique 
Google AccoLuil [and] retains the right to combine all this information with information gleaned from its 
Doubleclick ad seiAuce, which macks users across the Tntemet.’’) More infonnation is available at the ACT XT’s 
Demand Your dotRights campaign website. Demand Yonr dotRights. htt,n://dotRights.org . 

Joseph Turow, et al. Atnericans Reject Tailored Advertising 4 (2009), available at 
iittt;://paDers.ssm.coin/'sGl3/papers.cfni'': abstr act id-i478214 . 

Id. 

Cloud computing users arc “very concerned" about law enforcement access to data (49%); services retaining fdes 
after users delete them (63%); services using personal data for targeted advertisements (6S%>) or marketing (80%>); 
services selling fdes or data lo third parties (90%). Sec Pew Cloud Report, supra note 5. at 11. 
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When user privaey is not protected, users are slower to adopt new technology. A recent poll 
revealed that 50% of Americans polled have little or no interest in using cloud computing and 
that 81% of these respondents are reluctant, at least in part, because they are concerned about the 
security of their information in the cloud. 

Americans want and need legal protections for privacy that reOect the technology they use every 
day. The time has come to modernize ECPA to relied our 2T'' century digital world. 

ECPA Rules Are Confusing and Outdated 


In the face of rapid technological change and Americans’ continuing expectation of privacy, 
ECPA has fallen behind. Distinctions in ECPA have become increasingly confusing and 
arbitrary, based on an understanding of technology that is a generation behind that which we use 
today.^^ Many new technologies, particularly those dealing with location information, are not 
addressed by ECPA. These failures not only leave holes in the privacy protections in place for 
individuals, but pose a threat to continuing innovation and business development. We need to 
update ECPA to encompass all of the ways that Americans use technology today. 

E-mail exemplifies the gap between the language of ECPA and today’s technology. In 1986, e- 
mail was typically downloaded to a recipient’s computer upon receipt and immediately deleted 
from the c-mail provider's storage. ECPA was written with this behavior in mind; it requires a 
seai'ch warrant to retrieve a message from an e-mail provider’s storage only if the message is less 
than 180 days old, and provides for lower standards if the email is left on the server for more 
than 180 days.^^ Today, however, e-mail is often both stored on and accessed from remote 
servers belonging to the e-mail provider, and many people ’’archive” their e-mail on their 
provider’s server rather than deleting old messages. Basing legal protection on how long an e- 
mail has been stored is incongruous with current e-mail use. Instead. ECPA should provide full 
protection for all online documents and communications and dispose of these artificial and 
outdated distinctions. 

Similarly, the state of technology in 1986 resulted in more legal protection in ECPA for the 
content of communication — the body of an e-mail or the contents of a letter or phone 
conversation — than for the transactional information. Historically, transactional information was 
easy to distinguish from content; the number dialed on a telephone as opposed to the voice call 
itself, or writing on the outside of an envelope as opposed to the message within. The digital 
world, however, blurs the line between content and transactional data. Internet search terms, 
browser history, e-mail subject lines and location information do not fit neatly into either 
category and can reveal sensitive data like political and religious affiliations. Most people 


’ ' HaiTis Interactive, Cloud Computing: Are Americans Readx?, Apr. 2 1 , 20 1 0, 

httn://Tiews.hajTisinteract!ve.com/profi1es/iiive.stor/ResT-ibrnrvView-asp?B7:TT)=:]9(>3(*cResT.ibrarvTD=37539&C.3Teao 

i-v=1777 

See Steve Jackson Games v. U.S. Secret Setyice, 36 F.3d 457 (5th Tir. 1994) (The Wiretap Act. as amended by 
r.CPA, is “famous (if not infamous) for its lack of clarity.”). 

Even this limited protection is in doubt. The Department of Justice lias argued that, once email is opened, it is no 
longer in “electronic storage" and thus no longer subject to n warrant requirement under T.CPA even if it is less than 
180 days old. hi re Application of the U.S. for an Order Pursuant to 18 U.S.C. §270J(d), D. Colo.. No. 09-80. 
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consider such information to be private. The law should match these expectations and require a 
wan’anl for disclosure. 

In addition to the difficulty in anticipating modern uses of technologies existing in that era, 
lawmakers in 1986 could not predict technological innovations. Mobile phones provide a glaring 
example, along with the location information gleaned from them. Modern cell phones have 
become, in essence, portable tracking devices. Technologies including GPS"^ and cell lower 
triangulation"^ allow mobile phone providers to determine our physical locations in real time — 
and these providers can retain records of this location infonnation for various purposes. The 
legal standard for access to these records is currently being litigated, and Congress has never 
weighed in on what the appropriate standard should be.‘‘ In the meantime, litigants regularly 
demand these sensitive records in government investigations and civil suits. A company 
employee recently admitted that Sprint received a staggering eight million requests for mobile 
phone location information from law enforcement in just over a ycar."^ 

Outdated digital privacy law is not only a threat to individual privacy; it also affects businesses 
and hinders innovation. User perception of inadequate privacy is one threat that companies face. 
For example, Microsoft recently announced that its future lies in online cloud computing 
sendees, but its own poll found that more than 90 percent of the general population is "concerned 
about the security, access, and privacy of personal data" stored online,"^ leading the company to 
explicitly ask Congress for better online privacy protection to promote cloud compiiting.^^ 

Companies are also affected when they receive demands to turn over the personal infonnation of 
users, (joogle just released data that it received over 3,500 demands from law enforcement 
involving criminal investigations in the last six months of 2009.'^ If Google is receiving 
thousands of demands digging into the intimate details of individual lives that are captured in 
emails, search histories, reading and viewing logs, and ihe like, how many more are going oui to 
Yahoo, Microsoft, Facebook and the thousands of other online services that Americans use every 
day? And how can companies hope to respond to these requests without improperly over- or 


GPS, or Global Positioning System, is a satellite-based navigation system that allows a GPS receiver to determine 
its own location. Global Positioning System, http://gps. 20 v. 

Gell tower triangulation allows the location of a mobile device to be detennined by '■triangulation” based on its 
calculated distance from two or more cell towers within the phone's range. See Chris Silver Smith, Cell Phone 
Triangulation Accuracy Is All Over the Map. ScarcliHngincLand.coin. Sep. 22. 2008. 
http://scarchcngincland.com/ccll-phonc-triangulatioii-accnracy-is-all-ovcr-thc-map-14790. 

See, e.g., In re Application of the United States for an Order Directing a Provider of Electronic Communications 
Senlce to Disclose Records to the Government. No. 08-4227 (3d. ('ii. oral argument heal'd Feb. 12. 2010). 

Kim Zetter, Feds 'Pinged' Sprint GPS Data 8 Million Times Over a Year, Wikl', 1 ), Dec. I, 2009. 

^Microsoft News Center. Cloud Computing Flash Poll — Fact Sheet , 

hiU):/7H ww.microsori.cojiiin~essoass/pre'Sskib/dojidt)olic\’/docs/PoIlFS,doc . More inlbrmalioii is available at 
hrrii'//www.microsot?.com/rre.s.sDass/presskits/cioudDolicv/Treijeiials.aspx . 

Microsoft News Center. Press Release: Microsoft Urges Government and Industry to Work Together to Build 
Confidence in the Cloud. Jan. 20. 2010, available at iHSp://wwvv.Kiicrosofi,com/prcsspass./pi'css/2010/ianl0/l- 
2()BrookingsPR.mspx , 

Government Requests Tool, htTi):.//www. google. com/goverDinentjeqne:sts . Note this does not include National 
Security letters or demands received outside of ciiminal investigations. It also docs not count the actual number of 
users whose records disclosed pursuant to each demand. All of this means this number likely only reflects a fraction 
of the number of users whose records were demanded. 
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under-disclosing information when faced with outdated, confusing laws with questionable 
applicability to iheir products or services? 

Key Principles for Updating ECPA 

Because these inadequate legal standards create difficulties for Internet users and businesses 
alike, a coalition of privacy advocates and businesses — from the American Civil Liberties Union 
to Google and AT&T — has formed to urge Congress to update electronic privacy law to provide 
clear rules and better protection for electronic data. The coalition believes that just as the law 
recognized that storing information in digital foim on a computer hai'd drive should have the 
same probable cause warrant protection as information stored in paper form in a filing cabinet, 
the time has come to ensure that these same privacy protections apply to digital information 
stored in the cloud. 

'ITie ACLU believes the efforts being urged by the coalition to update ECPA are critical first 
steps but believes a full review of ECPA should involved all of the following issues: 

1. Robustly Protect All Personal Electronic Information. 

2. Safeguai’d Location Information. 

3. Institute Appropriate Oversight and Reporting Requirements. 

4. Require a Suppression Remedy. 

5. Craft Reasonable Exceptions. 

Robustly Protect All Personal Electronic Information. 

In the modem world, just as in Jefferson’s time, our personal, private information — whether 
paper documents and correspondence or records of what we search and read online — reveals a 
tremendous amount about us. Our right to privacy and our rights to free expression and free 
association require that this information be protected from disclosure to the government without 
notice and without a warrant based on probable cause. Changing technology must not erode 
these protections. Our e-mail, online spreadsheets and photos, and other digital documents need 
strong legal protections regardless of how. where, or how long they are stored. 

Congress has long-recognized the privacy interests in the transactional records of users of 
expressive material. The Video Privacy Protection Act prohibits disclosure of video viewing 
records without a warrant or court order, requires notice prior to any disclosure of personally 
identifiable information to a law enforcement agency, and requires the destruction of personally 
idenliliable information one year after it becomes unnecessary.^^ 'ITie Cable Communications 
Policy Act similarly prohibits disclosure of cable records absent a court order.^^ Similarly, to 
safeguard autonomy, privacy, and intellectual freedom, our laws extend protection to library and 


IS U.S.C. § 2710(b)(2)(B). (b)(3),(e) (2009). 
47 U.S.C. § 551(c) (2008). 
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book records.^'’ Wc need the same protection for digital records that implicate our First 
Amendment freedoms by recording our expressive actions and choices. 

Current loopholes in our privacy laws need to be closed to protect electronic information without 
regard to its age. whether it is "content" or "transactional" in nature, or whether companies or 
individuals can use this information for other purposes. ECPA must be modernized to provide 
robust protection for all personal electronic information and require a probable cause wan’anl and 
notice prior to disclosure. 

Safeguard Location Infonnation. 

'Fhe vast majority of Americans own cell phones. The location information transmitted by these 
phones every minute of every day reveals not only where we go but often what we are doing and 
who we are talking to. Americans take cell phones everywhere: to gun rallies, to mental health 
clinics, to church, and everywhere else we go. Ubiquitous tracking is a reality in the United 
States. We must protect this sensitive information from inappropriate government access. 
Location information, whether cuixent or historical, is clearly personal information. The law 
should require government officials to obtain a wairant based on probable cause before allowing 
access. 

Institute Appropriate Oversight and Reporting Requirements. 

Electronic recordkeeping enables easy collection and aggregation of records, and the insufficient 
and outdated standards applied by FCPA provide little barrier should the government wish to 
engage in a “shopping spree” through the treasure trove of personal information held by private 
companies. In addition to updating the standards for access to electronic information, ECPA 
should ensure adequate oversight by Congress and adequate transparency to the public by 
extending existing repoiting requirements for wiretap orders to all types of law enforcement 
surveillance rec[uests. 

'fhe House .Judiciary Committee recognized this need when it passed HR 5018 (106'^ Congress) 
by a vote of 20-1 The proposed bill would have required reporting on all orders, warrants, or 
subpoenas issued by government entities seeking electronic communications records or content 
information. Current efforts to modernize ECPA should include this requirement as well. 


48 states protect library reading records by statute, see, e.g.. N.Y. (fP.L.R. § 4509; C'al. (iov. (y)de §§ 6267, 
6254(j), and federal and stare conns have also often frowned upon atrempis by the government or civil litigants to 
gain access to such records, see, e.g. . In re Grand Jury- Subpoena to Amazon.com, 246 F.R.D. 570. 573 (W.D. Wis. 
2007) (quashing a government subpoena seeking the identities of 120 book buyers because “it is an unsettling and 
un-American scenario to envision federal agents nosing through the reading lists of law-abiding citizens w-hile 
hunting for evidence against somebody else.’’): 7” re Grand Jury Subpoena to Kramerbooks A fterwords, Inc., 26 
Media L. Rep. (BNA) 1599, 1601 (D.D.C. 1998) (First Amend meni requires govcrimicnt to "demonsiraic a 
compelling interest in the information sought . . . fandl a sufficient connection between the information sought and 
the grand juiy investigation" prior to obtaining book records); Tattered Cover Ciiv ofTfwrnton, 44 P.3d 1044, 

1059 (Colo.. 2002) (government access to book records only passes muster under Colorado Constitution if ‘"waiTant 
plus" standard is met by the government — i.e. prior notice, adversarial hearing, and showing of a compelling need). 

H.R. Rep. No, 106-932 to accompany H.R. 5018 (2000) ai 23. 


8 



104 


Require a Suppression Remedy. 

Both the Fouith Amendment and the Wiretap Act provide for an exclusionary remedy: if a law 
enforcement official obtains information in violation of a defendant’s constitutional privacy 
rights or the Act. that information usually cannot be used in a court of law.^’ The same rule, 
however, does not apply to electronic information obtained in violation of HCPA. Without an 
exclusionary rule, there is a lack of deteixence for government overreaching. Unlawfully 
obtained electronic information should be barred from use in court proceedings. A suppression 
remedy provision passed the House .Tudiciary Committee in 2000 as part of HR 5018 and should 
be included in any current Congressional language to modernize HCPA.^^ 

Crafi Reasonable Exceptions. 

Overbroad exceptions and the abuse of 'Voluntary disclosure” procedures arc also depriving 
Americans of tlieir rightful privacy protection. HCPA needs to be revised to close these 
loopholes and ensure that private information is only released outside of the standard process 
when truly necessary. 

Under previous law, a company could only turn records over if it had a "reasonable belief" that 
there was an emergency involving "imminent harm" of deatli or injury to any person. However, 
in 2001 that standard was lowered so that the company’s belief only needed to be held in “good 
faith” and that the harm no longer needed to be imminent. This lowered standard reduced a 
company’s obligation to ensure that its decision to release private information about a user was 
balanced by the exigency of the situation. 

In addition, exceptions to prohibitions on “voluntary” disclosure need to be revised to prevent 
coercive abuse by law enforcement. For example the Inspector General for the Department of 
.Tustice has reported that the FBI circumvented its National Security T.etter (NST^) authority by 
using "exigent letters" to obtain information with the promise that the agent had already 
requested a grand Jury subpoena or an NSL.^^ To prevent such abuse, all requests for 
“emergency” voluntary disclosures under FCPA should clearly state that compliance with the 
request is voluntary and HCPA should require thorough documentation and reporting of all such 
requests. 

Exceptions to the procedural requirements for government access to electronic records should be 
just that: exceptional. ECPA reform should restore the original emergency exception for ECPA 
and require documentation and reporting to ensme that these exceptions are used properly and 
not abused. 


-Tsu.s.c. 2515. 

■■ ElccU'onic Communications Privacy Act of 2000, H.R. 5018, 106 Cong. § 2 (2000). 

Dep’t. of .Tustice. Office of Inspector General. A Review of the Federal Bureau of Tnvestigatioivs Use of National 
Security Lcilcrs (March 2007), at 86-97. available at hup;//www.usdoj.gov/oig/spccial/s0703b/linal.pdf. 
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Conclusion 

We applaud the Committee for holding this hearing and for beginning to undeitake the task of 
reforming ECPA. Changes in the way we communicate with each other in today’s world are 
wondrous viewed through 1980’s spectacles. That wonderment should not be tempered by the 
realization ihai our personal privacy is slipping away. Comprehensive reform of ECPA is a 
needed legislative inilialive that will help preserve die real innovative value of the technology 
boom and set us on a path for even greater innovation to come. 
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Federal Bureau of luvestigatiott 

Agents Association 


May 6, 20 iO 


The Honorable Jerrold Nadler 
Chair 

Subcommittee on the Constitution, 
Civil Rights, and Civil Liberties 
House Judiciary Committee 
2138 Rayburn House Office Building 
Washington, DC 20515 


The Honorable F. James Sensenbrenner 

Ranking Member 

Subcommittee on the Constitution, 

Civil Rights, and Civil Liberties 
House Judiciary Committee 
2142 Rayburn House Office Building 
Washington, DC 20515 


Re: Hearing on Electronic Communications Privacy Act Reform 

Dear Mr. Chairman and Mr. Sensenbrenner: 

On behalf of the FBI Agents Association (FBIAA), a professional association comprised of 
active and retired FBI Agents with a membership of nearly 12,000 Agents nationwide, I write 
to express our appreciation for your investigation into the need to reform the Electronic 
Communications Privacy Act ("ECPA”), and our hope that you will take the necessary 
actions to ensure that ECPA is reformed in a manner that best protects privacy and facilitates 
effective law enforcement efforts. 

The FBIAA understands that ECPA needs to be reformed as a result of the significant 
changes in technology and privacy concerns that have occurred since its adoption. FBI 
Agents are conunitted to protecting our Constitution and the civil liberties of citizens who 
fear that technological changes have resulted in new threats to their privacy. FBI Agents are 
also aware of the fact that criminal and terrorist enterprises are able to exploit privacy 
protections to advance their criminal ends, just as they have been able to exploit weaknesses 
in privacy protections to take advantage of US citizens. Therefore, laws such as ECPA must 
always carefully balance these interests in order to ensure that the goals of safety and privacy 
are both served by legislation. 

As you move to reform ECPA, we hope that you will carefully consider the law enforcement 
implications of any changes, and propose changes that can help law enforcement become 
more effective without sacrificing civil liberties. The FBIAA and its members will be 
pleased to assist in this effort as you move forward. 

Post Office Box 12650 • Arlington, Virginia 22219 
A Non-Govemmental Association 
(703) 247-2173 Fax (703) 247-2175 
E-mail; fbiaa@fbiaa.org www.fbiaa.org 
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The FBIAA appreciates your efforts and thanks you for considering these concerns. 


Sincerely, 




Konrad Motyica 


President 



